lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <opr6gk45lgsmddlu@sampah.scan-associates.com>
Date: Thu, 15 Apr 2004 02:18:31 +0800
From: pokley <pokleyzz@...n-associates.net>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
   "full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com>
Subject: [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection


Products: Postnuke v 0.726 (http://www.postnuke.com)
Date: 15 April 2004
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: Postnuke v 0.726 and below SQL injection

Description
===========
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.

Details
=======
We have found multiple vulnerabilities in Postnuke v 0.726 as described
below.

SQL Injection in NS-Comments module
-----------------------------------
There is SQL injection in INSERT statement for variable "sid" in file
modules/NS-Comments/index.php line 1142:


                          VALUES ($nextid, ".pnVarPrepForStore($pid).",
".pnVarPrepForStore($sid).", now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
                                                    '".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");


This will allow Postnuke user with permission to post comment include any
character in their comment and perform XSS attack to steal other user  
cookies.

SQL Injection in NS-Your_Account module
----------------------------------------
There is SQL injection in UPDATE statement for variable "timezoneoffset"
in file modules/NS-Your_Account/user/modules/changeinfo.php php line 334
and 354:

   $column[timezone_offset]=" . pnVarPrepForStore($timezoneoffset) . "

This will allow Postnuke user to change information for other user account
including Administrator password.

Workaround
==========
1) modules/NS-Comments/index.php

                          VALUES ($nextid, '".pnVarPrepForStore($pid)."',
'".pnVarPrepForStore($sid)."', now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
                                                    '".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");

2)modules/NS-Your_Account/user/modules/changeinfo.php

$column[timezone_offset]='" . pnVarPrepForStore($timezoneoffset) . "'

Proof of concept
================
[http://www.scan-associates.net/papers/post_nuker.php.txt]

Vendor Response
===============
05 February 2004	- security@...tnuke.com contacted through email. no  
response.
07 April 2004	- security@...tnuke.com contacted through email. no  
response.		

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ