Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2005-2022 Tenable Network Security, Inc.POSTNUKE_0_760_RC4B.NASL
HistoryAug 30, 2005 - 12:00 a.m.

PostNuke <= 0.760 RC4b Multiple Vulnerabilities

2005-08-3000:00:00
This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.
www.tenable.com
13
JSON

The remote host appears to be running PostNuke version 0.760 RC4b or older. These versions suffer from several vulnerabilities :

  • Multiple Cross-Site Scripting Vulnerabilities An attacker can inject arbitrary HTML and script code into the browser of users by manipulating input to the ‘moderate’ parameter of the ‘Comments’ module and the ‘htmltext’ parameter of the ‘user.php’ script.

  • A SQL Injection Vulnerability The application fails to launder user-supplied input to the ‘show’ parameter in the ‘modules/Downloads/dl-viewdownload.php’ module.
    With admin rights, an attacker could exploit this issue to manipulate SQL queries.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(19545);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2005-2689", "CVE-2005-2690");
  script_bugtraq_id(14635, 14636);

  script_name(english:"PostNuke <= 0.760 RC4b Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to several
attacks.");
  script_set_attribute(attribute:"description", value:
"The remote host appears to be running PostNuke version 0.760 RC4b or
older.  These versions suffer from several vulnerabilities :

  - Multiple Cross-Site Scripting Vulnerabilities
    An attacker can inject arbitrary HTML and script 
    code into the browser of users by manipulating
    input to the 'moderate' parameter of the 
    'Comments' module and the 'htmltext' parameter
    of the 'user.php' script.

  - A SQL Injection Vulnerability
    The application fails to launder user-supplied
    input to the 'show' parameter in the
    'modules/Downloads/dl-viewdownload.php' module.
    With admin rights, an attacker could exploit 
    this issue to manipulate SQL queries.");
  script_set_attribute(attribute:"see_also", value:"http://securityreason.com/achievement_securityalert/22");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Aug/286");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PostNuke version 0.760 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/30");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:postnuke_software_foundation:postnuke");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");

  script_dependencies("postnuke_detect.nasl", "cross_site_scripting.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
if (get_kb_item("www/" + port + "/generic_xss")) exit(0);


# A simple alert.
xss = '<script>alert("' + SCRIPT_NAME + '")</script>';
# nb: the url-encoded version is what we need to pass in.
exss = urlencode(str:xss);

exploits = make_list(
  string(
    "/index.php?",
    "module=Comments&",
    "req=moderate&",
    "moderate=<center><h1>", exss
  ),
  string(
    "/user.php?",
    "op=edituser&",
    "htmltext=<h1>", exss
  )
);


# Test an install.
install = get_kb_item(string("www/", port, "/postnuke"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  dir = matches[2];

  # Try to exploit one of the XSS flaws.
  foreach exploit (exploits) {
    r = http_send_recv3(method:"GET", item:string(dir, exploit), port:port);
    if (isnull(r)) exit(0);
    res = r[2];

    # It's a problem if we see our XSS.
    if (xss >< res) {
      security_warning(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}
VendorProductVersionCPE
postnuke_software_foundationpostnukecpe:/a:postnuke_software_foundation:postnuke

Related

cve 2
cve
cve
CVE-2005-2689
2005-08-24 04:00:00
CVE-2005-2690
2005-08-24 04:00:00
JSON
Related for POSTNUKE_0_760_RC4B.NASL
cve2