Vendor URL: http://www.postnuke.com/
Vendor Specific News/Changelog Entry: http://news.postnuke.com/index.php?name=News&file=article&sid=2754
Secunia Advisory ID:18937Related OSVDB ID: 23436Related OSVDB ID: 23433Related OSVDB ID: 23434
Other Advisory URL: http://securityreason.com/achievement_securityalert/33
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0469.html
FrSIRT Advisory: ADV-2006-0673
CVE-2006-0801
Bugtraq ID: 16752
{"edition": 1, "title": "PostNuke NS-Languages Module language Variable SQL Injection", "bulletinFamily": "software", "published": "2006-02-19T05:32:43", "lastseen": "2017-04-28T13:20:20", "history": [], "modified": "2006-02-19T05:32:43", "reporter": "OSVDB", "hash": "c7eecbf32fac18d66ab4e982eebeda0eb3de9d56ea2817b84d2e213c33d47b39", "viewCount": 1, "href": "https://vulners.com/osvdb/OSVDB:23435", "description": "## Solution Description\nUpgrade to version .762 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Manual Testing Notes\nhttp://[target]/[path]/admin.php?module=NS-Languages&op=missing&language='SQLINJECTION\n## References:\nVendor URL: http://www.postnuke.com/\nVendor Specific News/Changelog Entry: http://news.postnuke.com/index.php?name=News&file=article&sid=2754\n[Secunia Advisory ID:18937](https://secuniaresearch.flexerasoftware.com/advisories/18937/)\n[Related OSVDB ID: 23436](https://vulners.com/osvdb/OSVDB:23436)\n[Related OSVDB ID: 23433](https://vulners.com/osvdb/OSVDB:23433)\n[Related OSVDB ID: 23434](https://vulners.com/osvdb/OSVDB:23434)\nOther Advisory URL: http://securityreason.com/achievement_securityalert/33\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0469.html\nFrSIRT Advisory: ADV-2006-0673\n[CVE-2006-0801](https://vulners.com/cve/CVE-2006-0801)\nBugtraq ID: 16752\n", "affectedSoftware": [], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "3a4b624c031ae5efefb82c7929d19408"}, {"key": "cvss", "hash": "88e04999358e76acae57a21bcf224d40"}, {"key": "description", "hash": "b3a5f2204dc8cb7cfa46724d2864567f"}, {"key": "href", "hash": "f5f833d7f82d7200c914d365d4876d83"}, {"key": "modified", "hash": "daaabfac60766df3cf6d2b695c00865b"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "daaabfac60766df3cf6d2b695c00865b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "303c2f9f8fcb4f40dcd754fa86149dd8"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2017-04-28T13:20:20"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-0801"]}, {"type": "exploitdb", "idList": ["EDB-ID:27255"]}, {"type": "nessus", "idList": ["POSTNUKE_0_762.NASL"]}], "modified": "2017-04-28T13:20:20"}, "vulnersScore": 6.3}, "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 5.1}, "cvelist": ["CVE-2006-0801"], "id": "OSVDB:23435"}
{"cve": [{"lastseen": "2019-05-29T18:08:31", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in the NS-Languages module for PostNuke 0.761 and earlier, when magic_quotes_gpc is off, allows remote attackers to execute arbitrary SQL commands via the language parameter to admin.php.\nSuccessful exploitation requires that the \"magic_quotes_gpc\" parameter is disabled.", "modified": "2017-07-20T01:30:00", "id": "CVE-2006-0801", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0801", "published": "2006-02-20T22:02:00", "title": "CVE-2006-0801", "type": "cve", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T05:28:02", "bulletinFamily": "exploit", "description": "PostNuke 0.6x/0.7x NS-Languages Module language Parameter SQL Injection. CVE-2006-0801 . Webapps exploit for php platform", "modified": "2006-02-21T00:00:00", "published": "2006-02-21T00:00:00", "id": "EDB-ID:27255", "href": "https://www.exploit-db.com/exploits/27255/", "type": "exploitdb", "title": "PostNuke 0.6x/0.7x NS-Languages Module language Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/16752/info\r\n \r\nPostNuke is prone to multiple input-validation vulnerabilities. These issues are due to the application's failure to properly sanitize user-supplied input. \r\n \r\nSuccessful exploitation could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, exploit vulnerabilities in the underlying database implementation, or control how the site is rendered to the user. Other attacks are also possible.\r\n\r\nhttp://www.example.com/admin.php?module=NS-Languages&op=missing&language=[sql]\r\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27255/"}], "nessus": [{"lastseen": "2019-11-01T03:20:05", "bulletinFamily": "scanner", "description": "The installed version of PostNuke allows an unauthenticated attacker\nto gain administrative access to select modules through a simple GET\nrequest. Additionally, it may be prone to various SQL injection\ninjection or cross-site scripting attacks as well as unspecified\nattacks through the Languages module.", "modified": "2019-11-02T00:00:00", "id": "POSTNUKE_0_762.NASL", "href": "https://www.tenable.com/plugins/nessus/20969", "published": "2006-02-22T00:00:00", "title": "PostNuke < 0.762 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(20969);\n script_version(\"1.19\");\n\n script_cve_id(\"CVE-2006-0800\", \"CVE-2006-0801\", \"CVE-2006-0802\");\n script_bugtraq_id(16752);\n\n script_name(english:\"PostNuke < 0.762 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for admin access bypass issue in PostNuke\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple flaws.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of PostNuke allows an unauthenticated attacker\nto gain administrative access to select modules through a simple GET\nrequest. Additionally, it may be prone to various SQL injection\ninjection or cross-site scripting attacks as well as unspecified\nattacks through the Languages module.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://securityreason.com/achievement_securityalert/33\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2006/Feb/473\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.postnuke.com/index.php?name=News&file=article&sid=2754\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PostNuke 0.762 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/02/22\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:postnuke_software_foundation:postnuke\");\n script_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"postnuke_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/postnuke\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the admin access bypass issue.\n r = http_send_recv3(method:\"GET\", item:string(dir, \"/admin.php?module=Banners\"), port:port);\n if (isnull(r)) exit(0);\n res = strcat(r[0], r[1], '\\r\\n', r[2]);\n\n\n # There's a problem if we're granted access.\n if ('<a href=\"admin.php?module=Banners&op=getConfig\">Banners configuration' >< res) {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}]}
