lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 May 2005 13:08:03 +0800
From: pokley <pokleyzz@...n-associates.net>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Postnuke 0.750 - 0.760rc4 local file inclusion


Product : Postnuke 0.750 (http://www.postnuke.com)
Description: Postnuke 0.750 - 0.760rc4 local file inclusion
Severity: High

Description
===========
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.

Detail
======

Directory traversal in function pnModFunc
-----------------------------------------

We have found serious vulnerability which allow any user to view/include  
local file in function pnModFunc. This is due to lack of error checking in  
function pnModFunc when user supply func through index.php. func variable  
will sanitize using pnVarCleanFromInput which will remove any slashes  
before pass to pnModFunc in index.php. This make nullbyte poisoning  
possible. With the help from pnlang directory in Blocks module this  
vulnerability is very easy to exploit. Remote code execution also possible  
with help of 3rd party module which allow image upload or through  
accesible apache log file.

--pnMod.php--
     } else {
     if(file_exists("modules/$modname/pn$type/$func.php"))
	{

		require_once("modules/$modname/pn$type/$func.php");<-- THE PROBLEM

         return $modfunc($args);
	}
-------------

Proof of concept
================
http://server.com/index.php?module=Blocks&type=lang&func=../../../../../../etc/passwd%00

Fix
===
Fix Available from postnuke cvs since 5th May 2005

http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnMod.php.diff?r1=1.47&r2=1.48

http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/
index.php.diff?r1=1.39&r2=1.40

Vendor Response
===============
3rd May 2005 - Vendor contacted
4th May 2005 - Vendor Reply
5th May 2005 - Fix Available

Thanks
======
Andreas Krapoh from postnuke for fast response in this issue.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists