PostNuke NS/Multisites Module serverName Variable HTML Injection

2005-05-21T11:01:41
ID OSVDB:16791
Type osvdb
Reporter OSVDB
Modified 2005-05-21T11:01:41

Description

Technical Description

PHP Errors and 'Register Global' must both be on.

Solution Description

Upgrade to version 0.750b or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes

http://[victim]/[DIR]/modules/Multisites/installation/config.php?serverName=<H1>SUICIDE</H1> http://[victim]/[DIR]/modules/NS-Multisites/installation/config.php?serverName=<H1>SUICIDE</H1>

References:

Vendor URL: http://www.postnuke.com/ Secunia Advisory ID:15450 Other Advisory URL: http://news.postnuke.com/Article2691.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0255.html