SecurityReason - Multiple vulnerabilities in PostNuke <= 0.761 ( Research Advisory )

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Multiple vulnerabilities in PostNuke <= 0.761]

SecurityAlert SA033

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 19.2.2006
from SecurityReason.Com

- --- 0.Description ---

PostNuke: The Phoenix Release (0.761)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org)
and
provides many enhancements and improvements over the PHP-Nuke system.
PostNuke
is still undergoing development but a large number of core functions are
now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/

- --- 1. Bypass pnVarCleanFromInput() and pnAntiCracker ---

In PostNuke is function pnVarCleanFromInput() (file includes/pnAPI.php).

- -419-515---
function pnVarCleanFromInput()
{
// Create an array of bad objects to clean out of input variables
$search = array('|</?\s*SCRIPT.*?>|si',
'|</?\s*FRAME.*?>|si',
'|</?\s*OBJECT.*?>|si',
'|</?\s*META.*?>|si',
'|</?\s*APPLET.*?>|si',
'|</?\s*LINK.*?>|si',
'|</?\s*IFRAME.*?>|si',
'|STYLE\s*=\s*"[^"]*"|si');

// Create an empty array that will be used to replace any malacious
code
$replace = array('');
...
- -419-515---

and function pnSecureInput() (file includes/pnAntiCracker.php).

- -31-109---
function pnSecureInput()
{
// Cross-Site Scripting attack defense - Sent by larsneo
// some syntax checking against injected javascript
// extended by Neo

if (count($_GET) > 0) {
// Lets now sanitize the GET vars
foreach ($_GET as $secvalue) {
if (!is_array($secvalue)) {
if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||

(eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) ||
(eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
(eregi("\"", $secvalue))) {

pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','GET
Intrusion detection.');
Header("Location: index.php");
}
}
}
}

// Lets now sanitize the POST vars
if ( count($_POST) > 0) {
foreach ($_POST as $secvalue) {
if (!is_array($secvalue)) {
if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*\"?[^>]*>", $secvalue))
) {

pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','POST
Intrusion detection.');
Header("Location: index.php");
}
}
}
}

// Lets now sanitize the COOKIE vars
if ( count($_COOKIE) > 0) {
foreach ($_COOKIE as $secvalue) {
if (!is_array($secvalue)) {
if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||

(eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) ||
(eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img.*\"?[^>]*>", $secvalue))
) {

pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','COOKIE
Intrusion detection.');
Header("Location: index.php");
}
}
}
}
}
- -31-109---

This functions deletes from input html tags like:

- <script>
- <frame>
- <object>
- <meta>
- <applet>
- <link>
- <iframe>
and
- STYLE=

Ok. But if we sent to script:

# <HTMLTAG? < Hi

The functions don't find wrong tags.
And browser read this

"<HTMLTAG? < Hi"

and change "<" to ">".
Result:

# <HTMLTAG? > Hi

Bug like in:
http://securityreason.com/achievement_securityalert/28

- --- 2. XSS ---

2.0 http://[HOST]/[DIR]/user.php?op=edituser&htmltext=[XSS]

2.1
That some but in Title in "Post Comment".
Try to send title of reply like

<HTMLTAG <

- --- 3. Bypass Access, Critical SQL Injection, XSS ---
Try to go:

http://[HOST]/[DIR]/admin.php?module=NS-Languages
http://[HOST]/[DIR]/admin.php?module=Banners

and you have access to all options in modules like Languages, Banners. You
don't need to be admin!
In module Languages exists more issues.

if magic_quotes_gpc is Off.. You have SQL INJECTION

http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language='SQL
INJECTION

Or if On.. xss

http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language=">[XS
S]
http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=translation&language=[
XSS]

For Security Reason there will be No Official Exploit for Postnuke.

- --- 4. How to fix ---

Download the new version of the script(.762) or update to .762.

- --- 5. Greets ---
Special: sp3x

p_e_a, eax

- --- 6.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFD+NKy3Ke13X/fTO4RAraIAJ49qqD8/2AKKg5OE8Uw5ozbE5KxWQCgnVAL
2Zvpf0c+8dfNsndg8ZXwqto=
=zYaR
-----END PGP SIGNATURE-----