[38879] in bugtraq
Postnuke 0.750 - 0.760rc4 local file inclusion
daemon@ATHENA.MIT.EDU (pokley)
Mon May 16 15:24:18 2005
X-Antivirus-SCAN-Associates-Sdn-Bhd-Mail-From: pokleyzz@scan-associates.net via mail.scan-associates.net
Date: Mon, 16 May 2005 13:08:03 +0800
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>,
"full-disclosure@lists.grok.org.uk" <full-disclosure@lists.grok.org.uk>
From: pokley <pokleyzz@scan-associates.net>
Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <opsquq7pbdsmddlu@sampah.mshome.net>
Product : Postnuke 0.750 (http://www.postnuke.com)
Description: Postnuke 0.750 - 0.760rc4 local file inclusion
Severity: High
Description
===========
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.
Detail
======
Directory traversal in function pnModFunc
-----------------------------------------
We have found serious vulnerability which allow any user to view/include
local file in function pnModFunc. This is due to lack of error checking in
function pnModFunc when user supply func through index.php. func variable
will sanitize using pnVarCleanFromInput which will remove any slashes
before pass to pnModFunc in index.php. This make nullbyte poisoning
possible. With the help from pnlang directory in Blocks module this
vulnerability is very easy to exploit. Remote code execution also possible
with help of 3rd party module which allow image upload or through
accesible apache log file.
--pnMod.php--
} else {
if(file_exists("modules/$modname/pn$type/$func.php"))
{
require_once("modules/$modname/pn$type/$func.php");<-- THE PROBLEM
return $modfunc($args);
}
-------------
Proof of concept
================
http://server.com/index.php?module=Blocks&type=lang&func=../../../../../../etc/passwd%00
Fix
===
Fix Available from postnuke cvs since 5th May 2005
http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnMod.php.diff?r1=1.47&r2=1.48
http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/
index.php.diff?r1=1.39&r2=1.40
Vendor Response
===============
3rd May 2005 - Vendor contacted
4th May 2005 - Vendor Reply
5th May 2005 - Fix Available
Thanks
======
Andreas Krapoh from postnuke for fast response in this issue.
