[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection
From: pokley <pokleyzz@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Apr 2004 02:18:31 +0800

Products: Postnuke v 0.726 (http://www.postnuke.com)
Date: 15 April 2004
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: Postnuke v 0.726 and below SQL injection

Description
===========
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.

Details
=======
We have found multiple vulnerabilities in Postnuke v 0.726 as described
below.

SQL Injection in NS-Comments module
-----------------------------------
There is SQL injection in INSERT statement for variable "sid" in file
modules/NS-Comments/index.php line 1142:


                         VALUES ($nextid, ".pnVarPrepForStore($pid).",
".pnVarPrepForStore($sid).", now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
                                                   
'".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");

This will allow Postnuke user with permission to post comment include any character in their comment and perform XSS attack to steal other user cookies.

SQL Injection in NS-Your_Account module
----------------------------------------
There is SQL injection in UPDATE statement for variable "timezoneoffset"
in file modules/NS-Your_Account/user/modules/changeinfo.php php line 334
and 354:

$column[timezone_offset]=" . pnVarPrepForStore($timezoneoffset) . "

This will allow Postnuke user to change information for other user account
including Administrator password.

Workaround
==========
1) modules/NS-Comments/index.php

                         VALUES ($nextid, '".pnVarPrepForStore($pid)."',
'".pnVarPrepForStore($sid)."', now(), '".pnVarPrepForStore($uname)."',
'".pnVarPrepForStore($email)."',
                                                   
'".pnVarPrepForStore($url)."',
'".pnVarPrepForStore($ip)."', '".pnVarPrepForStore($subject)."',
'".pnVarPrepForStore($comment)."', '".pnVarPrepForStore($score)."', 0)");

2)modules/NS-Your_Account/user/modules/changeinfo.php

$column[timezone_offset]='" . pnVarPrepForStore($timezoneoffset) . "'

Proof of concept
================
[http://www.scan-associates.net/papers/post_nuker.php.txt]

Vendor Response =============== 05 February 2004 - security@xxxxxxxxxxxx contacted through email. no response. 07 April 2004 - security@xxxxxxxxxxxx contacted through email. no response.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] Cisco LEAP exploit tool...
Next by Date: [Full-Disclosure] RainbowCrack patch for Mac OS X
Previous by thread: [Full-Disclosure] [SECURITY] [DSA 485-1] New ssmtp packages fix format string vulnerabilities
Next by thread: [Full-Disclosure] RainbowCrack patch for Mac OS X
Index(es):
- Date
- Thread