SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   PostNuke Vendors:   postnuke.com
PostNuke Downloads Site May Have Been Compromised
SecurityTracker Alert ID:  1011938
SecurityTracker URL:  http://securitytracker.com/id/1011938
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 26 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): .750
Description:   The vendor reported that 'downloads.postnuke.com' was compromised and that some files in the PostNuke .750 distribution were modified.

The compromise occurred on October 24, 2004 at 23:50 GMT.

The original software was restored on October 26, 2004 at 8:30 GMT.

The vendor notes that the compromise occurred due to a vulnerability in the 'pafiledb' download management software and not in PostNuke. The compromise caused the download address of PostNuke-0.750.zip to point to a compromised archive.

The 'tar.gz' archive was not affected.

Because of the modifications, data (including passwords) submitted during the installation process is sent to a different server. Also, a remote user can execute arbitrary shell commands on the target system.

The vendor credits *mheffel* with reporting the exploit.

Impact:   On systems that have installed the compromised version, installation data (including passwords) is sent to a different server. Also, a remote user can execute arbitrary shell commands on the target system.
Solution:   Users that downloaded the '.zip' package between Sunday (24.Oct) at 23:50 GMT until Tuesday (26.Oct) at 8:30 GMT should take the following actions [quoted]:

1. Immediately remove the affected file /includes/pnAPI.php and replace it on your server with the original one (either from a fresh download or from
http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnAPI.php?rev=1.86&content-type=text/vnd.viewcvs-markup)


2. Check the access-logs for any entry containing 'oops='. If you find any call please contact the PostNuke Security Team via http://forums.postnuke.com/index.php?module=vpContact providing the access log for further investigation.

3. Change your database details, username, password and if possible, database name.

Vendor URL:  news.postnuke.com/modules.php?op=modload&name=News&file=index&catid=&topic=38 (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Downloads on PostNuke.com Target of Hacker: Immediate Action Required


---------------------------------------------------------------------------
PostNuke Security Advisory PNSA 2004-3                Vanessa Haakenson
http://www.postnuke.com/
October 26, 2004
For contacts: http://news.postnuke.com/index.php?module=vpContact
---------------------------------------------------------------------------
Vulnerability: Attacker used an exploit in the download management software
pafiledb to change the download address of PostNuke-0.750.zip to point to
a compromised archive.

DESCRIPTION
The changes made by the hackers were in two places. First, during the 
installation routine
all data submitted (this includes the server, the database credentials, 
the admin name
and password) is sent to a different server. Second, in one file there 
was code allowing
a malicious user to execute any shell command on the web server.

SOLUTION
Immediate action is required from everyone who downloaded the .zip package
between Sunday (24.Oct) at 23:50 GMT until Tuesday (26.Oct) at 8:30 GMT.

Required Actions
1. Immediately remove the affected file /includes/pnAPI.php and replace 
it on your server with the original one (either from a fresh download or 
from 
http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnAPI.php?rev=1.86&content-type=text/vnd.viewcvs-markup) 


2. Check the access-logs for any entry containing 'oops='. If you find 
any call please contact the PostNuke Security Team via 
http://forums.postnuke.com/index.php?module=vpContact providing the 
access log for further investigation.

3. Change your database details, username, password and if possible, 
database name.

In the future to avoid downloading tampered files please compare the MD5 
checksums with an independent source to ensure legitimacy, such as 
http://www.post-nuke.net.

For security updates notifications:
http://lists.postnuke.com/mailman/listinfo/postnuke-security

REFERENCES
   No references are currently available on the net.

CREDITS
This exploit was reported in the PN forums by *mheffel*
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC