SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   PostNuke Vendors:   [Multiple Authors/Vendors]
PostNuke Multiple Input Validation Flaws Allow Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1003884
SecurityTracker URL:  http://securitytracker.com/id/1003884
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.0.3 and prior versions
Description:   Several input validation bugs were reported in the PostNuke portal software. A remote user can conduct cross-site scripting attacks against users of PostNuke-based web sites.

Several components of PostNuke reportedly allow a remote user to create HTML that contains malicious javascript so that when another user loads the HTML, arbitrary javascript will be executed by that user's browser. The code will appear to originate from the site running PostNuke and will run in the security context of that site. As a result, the code will be able to access the target user's cookies and other sensitive information associated with the PostNuke site.

A few demonstration exploit examples are provided:

http://[targethost]/modules.php?op=modload&name=<iframe%20src="http://www.microsoft.com">

http://[targethost]/index.php?catid=&lt;script&gt;alert(document.cookie)&lt;/script&gt;

Impact:   A remote user can conduct cross-site scripting attacks against users of PostNuke sites to obtain their authentication cookies and other sensitive information.
Solution:   The vendor has reportedly released a fixed version (v0.71), available at:

http://www.postnuke.com/

Vendor URL:  www.postnuke.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  PostNuke Bugged




Hi everyone,

this post is 4 weeks after the original information was 
made available to the developers, allowing time for 
many effected users to patch and also the 
developers to fix / check newer versions.

---------

rookidd found another set of vulnerabilities in 
postnuke, this time in version 7.0.3 and bellow. 

www.postnuke.com

This software will allow anyone to produce an 
interactive website for their users. Sadly, due to the 
nature of this software, user input validation is not 
done correctly. This is serious as ALL websites 
running postnuke prior to todays CVS version are 
vulnerable. While CSS bugs are well known and wide 
spread, it seems that many such sites are still falling 
victim.

The particular issues allows a user to craft special 
URL's by using postnuke.com or any derived website 
and then force a script enabled browser to run hostile 
code or other trickeries. It is also possible to steal a 
users login session details and passwords. 

 Rootkidd can now post this as apparently the 
software, accoring to the Postnuke developers has 
been fixed in their latest CVS version, which was 
created today, 02/03/02. However, many sites using it 
however are still unpatched. Please update!! 

There are many more bugs that those that follow. 

-Example 

http://one_of_100's_of_sites/modules.php? 
op=modload&name=<iframe%
20src="http://www.microsoft.com"> <-- this is 
funny :o) 

http://one_of_100's_of_sites/index.php?
catid=&lt;script&gt;alert 
(document.cookie)&lt;/script&gt; 

The cookie details are displayed on the page as well 
as in an alert window which could lead to a 
users account being compromised.

The bellow text will be shown on the web page once 
run.

PHPLive New! 
alert(document.cookie)&unique=1015076420651 
border=0 
alt='Click for Live Support!'> 

We also get some cool information from site that we 
should 
not- 

DB Error: getArticles: 1064: You have an error in your 
SQL syntax near '= ORDER BY nuke_stories.sid 
DESC 
LIMIT 1' at line 23 

We also get a fully qualified path to the files we hack, 
allowing one to guess OS type and other such things.

There are many bugs similar to these with pages 
other 
than the examples shown. Most people think it is just 
modules.php but this is NOT the case. 

This is an example of some other info's that can be 
retrieved-

22/03/2002,19:32 "Fehler auf /index.php?
xcontentmode= -> -> /index.php (linked on ) 
Datenbankfehler: You have an error in your SQL 
syntax near 'and scoresum>="30" order by changed 
desc ' at line 1 Offending command was: select 
name,id,changed,created,type,user,downloads,score
sum,status,preview1,commentscount from content 
and scoresum>="30" order by changed desc " 
Error: "" Request:"/index.php?xcontentmode=" 
Method:"GET" Agent:"Mozilla/4.0 (compatible; MSIE 
6.0; Windows NT 5.0; T312461)" IP:"0.0.0.0" 
Port:"32069" \n

22/03/2002,19:32 "Fehler auf /index.php?
xcontentmode= -> -> /index.php (linked on ) 
Datenbankfehler: You have an error in your SQL 
syntax near 'and scoresum>="30" order by changed 
desc limit 0,10' at line 1 Offending command was: 
select 
name,id,changed,created,type,user,downloads,score
sum,status,preview1,commentscount from content 
and scoresum>="30" order by changed desc limit 
0,10 " Error: "" Request:"/index.php?xcontentmode=" 
Method:"GET" Agent:"Mozilla/4.0 (compatible; MSIE 
6.0; Windows NT 5.0; T312461)" IP:"0.0.0.0" 
Port:"32069" \n



Fix-


Visit postnuke.com & trollix.com for a patch script, 
upgrade your postnuke version, use "strip_tags
($Evil_halt, "acceptable html ");", filter unwanted code 
being passed to the server, add <>, cookie and other 
such characters / words to your snort config and 
finaly DISABLE error reporting in php.ini.


http://sourceforge.net/tracker/index.php?
func=detail&aid=524777&group_id=27927&atid=3922
28


----

 Rootkidd thinks that all php based sites are at risk, 
have found many bugs with phpnuke that are almost 
identical, path disclosure, css, csrf, sql statements 
and many more nice things.

 This is rootkidd's first post to Bugtraq as always tried 
to keep bug releases to own site only, have removed 
site and removed this method of informing people.

Thanks, and happy hacking.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC