|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 454 CVE : CVE-2006-0800 CVE : CVE-2006-0801 CVE : CVE-2006-0802 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Maksymilian Arciemowicz Published : 19.02.2006
Advisory Content : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [Multiple vulnerabilities in PostNuke <= 0.761] SecurityAlert SA033 Author: Maksymilian Arciemowicz (cXIb8O3) Date: 19.2.2006 from SecurityReason.Com - --- 0.Description --- PostNuke: The Phoenix Release (0.761) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Bypass pnVarCleanFromInput() and pnAntiCracker --- In PostNuke is function pnVarCleanFromInput() (file includes/pnAPI.php). - -419-515--- function pnVarCleanFromInput() { // Create an array of bad objects to clean out of input variables $search = array('|</?\s*SCRIPT.*?>|si', '|</?\s*FRAME.*?>|si', '|</?\s*OBJECT.*?>|si', '|</?\s*META.*?>|si', '|</?\s*APPLET.*?>|si', '|</?\s*LINK.*?>|si', '|</?\s*IFRAME.*?>|si', '|STYLE\s*=\s*"[^"]*"|si'); // Create an empty array that will be used to replace any malacious code $replace = array(''); ... - -419-515--- and function pnSecureInput() (file includes/pnAntiCracker.php). - -31-109--- function pnSecureInput() { // Cross-Site Scripting attack defense - Sent by larsneo // some syntax checking against injected javascript // extended by Neo if (count($_GET) > 0) { // Lets now sanitize the GET vars foreach ($_GET as $secvalue) { if (!is_array($secvalue)) { if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) || (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) || (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) || (eregi("\"", $secvalue))) { pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','GET Intrusion detection.'); Header("Location: index.php"); } } } } // Lets now sanitize the POST vars if ( count($_POST) > 0) { foreach ($_POST as $secvalue) { if (!is_array($secvalue)) { if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ) { pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','POST Intrusion detection.'); Header("Location: index.php"); } } } } // Lets now sanitize the COOKIE vars if ( count($_COOKIE) > 0) { foreach ($_COOKIE as $secvalue) { if (!is_array($secvalue)) { if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) || (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) || (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) ) { pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','COOKIE Intrusion detection.'); Header("Location: index.php"); } } } } } - -31-109--- This functions deletes from input html tags like: - <script> - <frame> - <object> - <meta> - <applet> - <link> - <iframe> and - STYLE= Ok. But if we sent to script: # <HTMLTAG? < Hi The functions don't find wrong tags. And browser read this "<HTMLTAG? < Hi" and change "<" to ">". Result: # <HTMLTAG? > Hi Bug like in: http://securityreason.com/achievement_securityalert/28 - --- 2. XSS --- 2.0 http://[HOST]/[DIR]/user.php?op=edituser&htmltext=[XSS] 2.1 That some but in Title in "Post Comment". Try to send title of reply like <HTMLTAG < - --- 3. Bypass Access, Critical SQL Injection, XSS --- Try to go: http://[HOST]/[DIR]/admin.php?module=NS-Languages http://[HOST]/[DIR]/admin.php?module=Banners and you have access to all options in modules like Languages, Banners. You don't need to be admin! In module Languages exists more issues. if magic_quotes_gpc is Off.. You have SQL INJECTION http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language='SQL INJECTION Or if On.. xss http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language=">[XS S] http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=translation&language=[ XSS] For Security Reason there will be No Official Exploit for Postnuke. - --- 4. How to fix --- Download the new version of the script(.762) or update to .762. - --- 5. Greets --- Special: sp3x p_e_a, eax - --- 6.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD+NKy3Ke13X/fTO4RAraIAJ49qqD8/2AKKg5OE8Uw5ozbE5KxWQCgnVAL 2Zvpf0c+8dfNsndg8ZXwqto= =zYaR -----END PGP SIGNATURE-----  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |