Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

postnukeInclusion.txt

🗓️ 27 May 2005 00:00:00Reported by PokleyzzType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Postnuke 0.750 - 0.760rc4 local file inclusion vulnerability in function pnModFun

Code
`Product : Postnuke 0.750 (http://www.postnuke.com)  
Description: Postnuke 0.750 - 0.760rc4 local file inclusion  
Severity: High  
  
Description  
===========  
Postnuke is Web Content Management System written in PHP and using mysql  
as database backend.  
  
Detail  
======  
  
Directory traversal in function pnModFunc  
-----------------------------------------  
  
We have found serious vulnerability which allow any user to view/include   
local file in function pnModFunc. This is due to lack of error checking in   
function pnModFunc when user supply func through index.php. func variable   
will sanitize using pnVarCleanFromInput which will remove any slashes   
before pass to pnModFunc in index.php. This make nullbyte poisoning   
possible. With the help from pnlang directory in Blocks module this   
vulnerability is very easy to exploit. Remote code execution also possible   
with help of 3rd party module which allow image upload or through   
accesible apache log file.  
  
--pnMod.php--  
} else {  
if(file_exists("modules/$modname/pn$type/$func.php"))  
{  
  
require_once("modules/$modname/pn$type/$func.php");<-- THE PROBLEM  
  
return $modfunc($args);  
}  
-------------  
  
Proof of concept  
================  
http://server.com/index.php?module=Blocks&type=lang&func=../../../../../../etc/passwd%00  
  
Fix  
===  
Fix Available from postnuke cvs since 5th May 2005  
  
http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnMod.php.diff?r1=1.47&r2=1.48  
  
http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/  
index.php.diff?r1=1.39&r2=1.40  
  
Vendor Response  
===============  
3rd May 2005 - Vendor contacted  
4th May 2005 - Vendor Reply  
5th May 2005 - Fix Available  
  
Thanks  
======  
Andreas Krapoh from postnuke for fast response in this issue.  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 May 2005 00:00Current
7.4High risk
Vulners AI Score7.4
postnuke 0.750web content management systemphpmysqldirectory traversallocal file inclusionremote code executionproof of conceptfixvendor response
23