PostNuke Web_Links Module Path Disclosure

2004-04-19T08:30:31
ID OSVDB:5515
Type osvdb
Reporter Lorenzo Hernandez Garcia(novappc@novappc.com)
Modified 2004-04-19T08:30:31

Description

Vulnerability Description

PostNuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a Web_Links module error occurs, which will disclose the local PostNuke installation path resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: disable the display_errors directive in php.ini.

Short Description

PostNuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a Web_Links module error occurs, which will disclose the local PostNuke installation path resulting in a loss of confidentiality.

Manual Testing Notes

http://[TARGET]/modules.php?op=modload&name=Web_Links&file=index&req=viewdownloaddetails&lid=[RANDOMNUMERICCONTENT]

http://[TARGET]/modules.php?op=modload&name=Web_Links&file=index&req=viewdownloadcomments&lid=[RANDOMNUMERICCONTENT]

http://[TARGET]/modules.php?op=modload&name=Web_Links&file=index&req=viewdownloadeditorial&lid=[RANDOMNUMERICCONTENT]

http://[TARGET]/modules.php?op=modload&name=Web_Links&file=index&req=brokendownload&lid=[RANDOMNUMERICCONTENT]

http://[TARGET]/modules.php?op=modload&name=Web_Links&file=index&req=outsidedownloadsetup&lid=[RANDOMNUMERICCONTENT]

References:

Vendor URL: http://www.postnuke.com/ Security Tracker: 1006847 Related OSVDB ID: 5516 Related OSVDB ID: 5517 Related OSVDB ID: 5520 Related OSVDB ID: 5521 Related OSVDB ID: 5497 Related OSVDB ID: 5496 Related OSVDB ID: 5518 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1211.html Keyword: NSRG-09-8 ISS X-Force ID: 12188 Bugtraq ID: 7693