lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: come2waraxe at (Janek Vind)
Subject: [waraxe-2004-SA#020 - Multiple vulnerabilities in PostNuke 0.726 Phoenix]

{                              [waraxe-2004-SA#020]   
{            [ Multiple vulnerabilities in PostNuke
0.726 Phoenix ]              }
Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu

Affected software description:

PostNuke: The Phoenix Release (

PostNuke is an open source, open developement content
management system
(CMS).  PostNuke started as a fork from PHPNuke
( and
provides many enhancements and improvements over the
PHP-Nuke system.  PostNuke
is still undergoing development but a large number of
core functions are now
stabilising and a complete API for third-party
developers is now in place.
If you would like to help develop this software,
please visit our homepage
You can also visit us on our IRC Server channel
Or at the Community Forums located at:


A. Full path disclosure:

A1 - legacy code

Fatal error: Call to undefined function:
deletenotice() in
D:\apache_wwwroot\postnuke0726\admin.php on line 87

It seems, that this function - deletenotice() - is
removed in new versions, but reference still exists.
Btw, anyone without any authentication can provoke
this error, not only admins.

A2 - path disclosure through sql injection

Fatal error: Call to a member function on a non-object
on line 454

This is sql injection bug through variable named
"thold", but here we use it for path disclosure.

B. Cross-site scripting aka XSS:

Exploiting XSS in PostNuke is difficult task, because
PostNuke will filter out most of the "useful"
tags, like <script>. But anyway, there exists XSS bugs
and they can be exploited, using some
custom technics (therefore loosing crossbrowser
compatibility of the sploit).

B1 - XSS through unsanitaized variable "$order"


C. Sql injection:

C1 - critical sql injection in NS-Polls

This is devastating case of the sql injection, because
it can be used to pull out from database
ANY data, attacker needs.


... and we will see admin's username, email and
password's md5 hash in plaintext ;)

Remark - this sploit needs mysql version >=4.x with
UNION functionality enabled!


    Greets to torufoorum members and to all bugtraq
readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at ! "Boom!!" ;)

    Janek Vind "waraxe"


---------------------------------- [ EOF ]

Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25

Powered by blists - more mailing lists