[24804] in bugtraq
PostNuke Bugged
daemon@ATHENA.MIT.EDU (Scott)
Fri Mar 22 20:15:18 2002
Date: 22 Mar 2002 18:31:12 -0000
Message-ID: <20020322183112.26906.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Scott <rootkidd@email.com>
To: bugtraq@securityfocus.com
Hi everyone,
this post is 4 weeks after the original information was
made available to the developers, allowing time for
many effected users to patch and also the
developers to fix / check newer versions.
---------
rookidd found another set of vulnerabilities in
postnuke, this time in version 7.0.3 and bellow.
www.postnuke.com
This software will allow anyone to produce an
interactive website for their users. Sadly, due to the
nature of this software, user input validation is not
done correctly. This is serious as ALL websites
running postnuke prior to todays CVS version are
vulnerable. While CSS bugs are well known and wide
spread, it seems that many such sites are still falling
victim.
The particular issues allows a user to craft special
URL's by using postnuke.com or any derived website
and then force a script enabled browser to run hostile
code or other trickeries. It is also possible to steal a
users login session details and passwords.
Rootkidd can now post this as apparently the
software, accoring to the Postnuke developers has
been fixed in their latest CVS version, which was
created today, 02/03/02. However, many sites using it
however are still unpatched. Please update!!
There are many more bugs that those that follow.
-Example
http://one_of_100's_of_sites/modules.php?
op=modload&name=<iframe%
20src="http://www.microsoft.com"> <-- this is
funny :o)
http://one_of_100's_of_sites/index.php?
catid=<script>alert
(document.cookie)</script>
The cookie details are displayed on the page as well
as in an alert window which could lead to a
users account being compromised.
The bellow text will be shown on the web page once
run.
PHPLive New!
alert(document.cookie)&unique=1015076420651
border=0
alt='Click for Live Support!'>
We also get some cool information from site that we
should
not-
DB Error: getArticles: 1064: You have an error in your
SQL syntax near '= ORDER BY nuke_stories.sid
DESC
LIMIT 1' at line 23
We also get a fully qualified path to the files we hack,
allowing one to guess OS type and other such things.
There are many bugs similar to these with pages
other
than the examples shown. Most people think it is just
modules.php but this is NOT the case.
This is an example of some other info's that can be
retrieved-
22/03/2002,19:32 "Fehler auf /index.php?
xcontentmode= -> -> /index.php (linked on )
Datenbankfehler: You have an error in your SQL
syntax near 'and scoresum>="30" order by changed
desc ' at line 1 Offending command was: select
name,id,changed,created,type,user,downloads,score
sum,status,preview1,commentscount from content
and scoresum>="30" order by changed desc "
Error: "" Request:"/index.php?xcontentmode="
Method:"GET" Agent:"Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0; T312461)" IP:"0.0.0.0"
Port:"32069" \n
22/03/2002,19:32 "Fehler auf /index.php?
xcontentmode= -> -> /index.php (linked on )
Datenbankfehler: You have an error in your SQL
syntax near 'and scoresum>="30" order by changed
desc limit 0,10' at line 1 Offending command was:
select
name,id,changed,created,type,user,downloads,score
sum,status,preview1,commentscount from content
and scoresum>="30" order by changed desc limit
0,10 " Error: "" Request:"/index.php?xcontentmode="
Method:"GET" Agent:"Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0; T312461)" IP:"0.0.0.0"
Port:"32069" \n
Fix-
Visit postnuke.com & trollix.com for a patch script,
upgrade your postnuke version, use "strip_tags
($Evil_halt, "acceptable html ");", filter unwanted code
being passed to the server, add <>, cookie and other
such characters / words to your snort config and
finaly DISABLE error reporting in php.ini.
http://sourceforge.net/tracker/index.php?
func=detail&aid=524777&group_id=27927&atid=3922
28
----
Rootkidd thinks that all php based sites are at risk,
have found many bugs with phpnuke that are almost
identical, path disclosure, css, csrf, sql statements
and many more nice things.
This is rootkidd's first post to Bugtraq as always tried
to keep bug releases to own site only, have removed
site and removed this method of informing people.
Thanks, and happy hacking.
