From come2waraxe@yahoo.com Wed Apr 21 19:08:33 2004 From: Janek Vind To: laserplaat@yahoo.com Date: Wed, 21 Apr 2004 11:05:34 -0700 (PDT) Subject: [Full-Disclosure] [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2] {================================================================================} { [waraxe-2004-SA#022] } {================================================================================} { } { [ Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2 ] } { } {================================================================================} Author: Janek Vind "waraxe" Date: 21. April 2004 Location: Estonia, Tartu Web: http://www.waraxe.us/index.php?modname=sa&id=22 Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PostNuke: The Phoenix Release (0.7.2.6) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A. Full path disclosure: A1 - all blocks in "includes/blocks/" directory are not secured against direct access Example: http://localhost/postnuke0726/includes/blocks/finclude.php Fatal error: Call to undefined function: pnsecaddschema() in D:\apache_wwwroot\postnuke0726\includes\blocks\finclude.php on line 44 A2 - many scripts in "pnadodb" directory are not secured against direct access Example: http://localhost/postnuke0726/pnadodb/drivers/adodb-access.inc.php Warning: main(ADODB_DIR/drivers/adodb-odbc.inc.php): failed to open stream: No such file or directory in D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php on line 14 Warning: main(): Failed opening 'ADODB_DIR/drivers/adodb-odbc.inc.php' for inclusion (include_path='.;c:\php4\pear') in D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php on line 14 Fatal error: Class adodb_access: Cannot inherit from undefined class adodb_odbc in D:\apache_wwwroot\postnuke0726\pnadodb\drivers\adodb-access.inc.php on line 19 A3 - full path disclosure in "NS-NewUser" module http://localhost/postnuke0726/modules/NS-NewUser/user.php Fatal error: Call to undefined function: modules_get_language() in D:\apache_wwwroot\postnuke0726\modules\NS-NewUser\user.php on line 31 A4 - full path disclosure in "NS-Your_Account" module http://localhost/postnuke0726/modules/NS-Your_Account/user/links/links.changehome.php http://localhost/postnuke0726/modules/NS-Your_Account/user/case/case.changehome.php?op=edithome A5 - full path disclosure in "NS-LostPassword" module http://localhost/postnuke0726/modules/NS-LostPassword/user.php A6 - full path disclosure in "NS-Multisites" module http://localhost/postnuke0726/modules/NS-Multisites/chgtheme.inc.php http://localhost/postnuke0726/modules/NS-Multisites/head.inc.php http://localhost/postnuke0726/modules/NS-Multisites/print.inc.php A7 - full path disclosure in "NS-User" module http://localhost/postnuke0726/modules/NS-User/tools.php http://localhost/postnuke0726/modules/NS-User/user.php B. Cross-site scripting aka XSS: XSS exploits works on PostNuke only if special anti-filtering measures are used! B1 - XSS in "Downloads" module (2 cases) http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=ratedownload&ttitle=x&lid=>[xss code here] http://localhost/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=search&query=>[xss code here] B2 - XSS in "Web_Links" module http://localhost/postnuke0726/modules.php?op=modload&name=Web_Links&file=index&req=search&query=>[xss code here] B3 - XSS in "openwindow.php" script http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x[xss code here] http://localhost/postnuke0726/javascript/openwindow.php?hlpfile=x Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused! Special greets to UT Bee Clan members at http://bees.tk ! "Control point secured!" ;) Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Homepage: http://www.waraxe.us/ ---------------------------------- [ EOF ] ------------------------------------ __________________________________ Do you Yahoo!? Yahoo! Photos: High-quality 4x6 digital prints for 25¢ http://photos.yahoo.com/ph/print_splash _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html