Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[VulnWatch] Postnuke v 0.723 SQL injection and directory traversing
Date: Sun Mar 09 2003 - 02:18:28 CST
Products: Postnuke v 0.723 (http://www.postnuke.com)
Date: 09 March 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Summary: Postnuke v 0.723 SQL injection and directory traversing
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.
There is multiple vulnerabilities in Postnuke v 0.723 as described below.
1) SQL Injection in Members_List module
There is lack in error checking in $sortby variable which is stripslashes.
This variable is used as SQL query to select postnuke member list.
2) Directory traversing through $theme variable
Attacker may include file any file named theme.php
Vendor has been contacted on 24/02/2003 and fix is available from
Proof of concept
Postnuke remote command execution
- PostNuke v0.723 maybe other
- PostNuke user
- Mysql user must have permision to select into outfile (FILE_PREV)
1) Register as postnuke user.
2) Login as user you just registered. After login change your "Real name"
to something like "<?system($HTTP_GET_VARS[cmd])?>" or just
3) Sql injection in "Members_List" modules.
Select user information into /tmp/theme.php
4) Directory traversing in $theme variable
Run command on server