lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 22 Aug 2005 16:28:08 -0000
From: max@...tsuper.pl
To: bugtraq@...urityfocus.com
Subject: [SECURITYREASON.COM] Multiple vulnerabilities in PostNuke
 0.760-RC4b=>x cXIb8O3.15


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Multiple vulnerabilities in PostNuke 0.760-RC4b=>x cXIb8O3.15]

Author: Maksymilian Arciemowicz ( cXIb8O3 )
Date: 12.6.2005
from SECURITYREASON.COM

- --- 0.Description ---

PostNuke: The Phoenix Release (0.750)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


- --- 1. Sql injection in Download ---

This sql injection is non critical because exploit works only with admin rights (mysql).

The problem is in "modules/Downloads/dl-viewdownload.php".

- --------
if ($show!="") {
        $perpage = $show;
    } else {
        $show=$perpage;
    }
...
$result =& $dbconn->SelectLimit($sql,$perpage,$min);
- --------

varible $perpage.

So
http://[HOST]/[DIR]/index.php?name=Downloads&req=viewdownload&cid=1&show=[SQL%20INJECTION]

- --- 2. XSS ---

2.0 http://[HOST]/[DIR]/index.php?module=Comments&req=moderate&moderate=<center><h1>xss

2.1 http://cxib.server/PostNuke-0.760-RC4b/html/user.php?op=edituser&htmltext=<h1>xss

- --- 3. How to fix ---

Download the new version of the script or update.

- --- 4. Greets ---

sp3x

- --- 5.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCvRTRznmvyJCR4zQRAkRkAKCdKjGrMWgQq1lLjbIp3js1DPE3BACgp9qa
WN+5aC9o2/MLUjE1mKYzRP0=
=TYkF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ