[<prev] [next>] [day] [month] [year] [list]
Message-ID: <opr6gk45lgsmddlu@sampah.scan-associates.com>
Date: Thu, 15 Apr 2004 02:18:31 +0800
From: pokley <pokleyzz@...n-associates.net>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
"full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com>
Subject: [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection
Products: Postnuke v 0.726 (http://www.postnuke.com)
Date: 15 April 2004
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: Postnuke v 0.726 and below SQL injection
Description
===========
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.
Details
=======
We have found multiple vulnerabilities in Postnuke v 0.726 as described
below.
SQL Injection in NS-Comments module
-----------------------------------
There is SQL injection in INSERT statement for variable "sid" in file
modules/NS-Comments/index.php line 1142:
VALUES ($nextid, ".pnVarPrepForStore($pid).",
".pnVarPrepForStore($sid).", now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
'".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");
This will allow Postnuke user with permission to post comment include any
character in their comment and perform XSS attack to steal other user
cookies.
SQL Injection in NS-Your_Account module
----------------------------------------
There is SQL injection in UPDATE statement for variable "timezoneoffset"
in file modules/NS-Your_Account/user/modules/changeinfo.php php line 334
and 354:
$column[timezone_offset]=" . pnVarPrepForStore($timezoneoffset) . "
This will allow Postnuke user to change information for other user account
including Administrator password.
Workaround
==========
1) modules/NS-Comments/index.php
VALUES ($nextid, '".pnVarPrepForStore($pid)."',
'".pnVarPrepForStore($sid)."', now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
'".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");
2)modules/NS-Your_Account/user/modules/changeinfo.php
$column[timezone_offset]='" . pnVarPrepForStore($timezoneoffset) . "'
Proof of concept
================
[http://www.scan-associates.net/papers/post_nuker.php.txt]
Vendor Response
===============
05 February 2004 - security@...tnuke.com contacted through email. no
response.
07 April 2004 - security@...tnuke.com contacted through email. no
response.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists