Search | Research | Contact Us Tuesday October 10, 2021
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 eBay And Amazon Still Vulnerable
  6 PEAR XML_RPC Library Remote Code Execution
  7 When Small Mistakes Can Cause Big Problems
  8 Woltlab Burning Board SQL Injection Vulnerability
  9 WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Vulnerabilities In PostNuke 0.726 Phoenix
January 03, 2022
Vendor : PostNuke
URL : http://www.postnuke.com
Version : PostNuke 0.726 Phoenix && Older
Risk : SQL Injection && Cross Site Scipting
BID : http://www.securityfocus.com/bid/7047


Description:
PostNuke is a popular Open Source CMS (Content Management System) used by millions of people all across the world.

SQL Injection Vulnerability:
SQL Injection is possible by passing unexpected data to the "sortby" variable in the "members_list" module. This vulnerability may allow an attacker to manipulate queries as well as view the full physical path of the PostNuke installation. This is due to user input of the "sortby" variable not being properly sanitized.

modules.php?op=modload&name;=Members_List&file;=index&letter;=All&sortby;=[Evil_Query]

Cross Site Scripting:
XSS is possible via the download module by injecting HTML or Script into the "ttitle" variable when viewing the details of an item for download. Example:

name=Downloads&file;=index&req;=viewdownloaddetails&lid;=[VLID]&ttitle;=">[CODE]

[VLID] = Should be the valid id number of a file for download.
[CODE] = Any script or HTML etc.

Solution:
An update has been released regarding the SQL Injection vulnerability. The XSS vuln however will not be fixed until future releases of PostNuke as it is really not possible to Hijack a users PostNuke session using a stolen session ID, thus limiting the chances of this being harmful to any users or administrators. Much respect to the PostNuke Dev team and especially Andreas Krapohl aka larsneo for being very prompt and professional about issuing a fix for this immediately. The fixed may be obtained from the official PostNuke website at http://www.postnuke.com

http://lists.postnuke.com/pipermail/postnuke-security/2004q1/000001.html

Credits:
James Bercegay of the GulfTech Security Research Team.