Advertisement






Multiple vulnerabilities in PostNuke <= 0.761

CVE Category Price Severity
N/A CWE-0 N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2006-02-25
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006020060

Below is a copy:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Multiple vulnerabilities in PostNuke <= 0.761]

SecurityAlert SA033

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 19.2.2006
from SecurityReason.Com

- --- 0.Description ---

PostNuke: The Phoenix Release (0.761)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


- --- 1. Bypass pnVarCleanFromInput() and pnAntiCracker ---

In PostNuke is function pnVarCleanFromInput() (file includes/pnAPI.php).

- -419-515---
function pnVarCleanFromInput()
{
    // Create an array of bad objects to clean out of input variables
    $search = array('|</?\s*SCRIPT.*?>|si',
                    '|</?\s*FRAME.*?>|si',
                    '|</?\s*OBJECT.*?>|si',
                    '|</?\s*META.*?>|si',
                    '|</?\s*APPLET.*?>|si',
                    '|</?\s*LINK.*?>|si',
                    '|</?\s*IFRAME.*?>|si',
                    '|STYLE\s*=\s*"[^"]*"|si');

    // Create an empty array that will be used to replace any malacious code
    $replace = array('');
...
- -419-515---

and function pnSecureInput() (file includes/pnAntiCracker.php).

- -31-109---
function pnSecureInput()
{
    // Cross-Site Scripting attack defense - Sent by larsneo
    // some syntax checking against injected javascript
    // extended by Neo

    if (count($_GET) > 0) {
        //        Lets now sanitize the GET vars
        foreach ($_GET as $secvalue) {
            if (!is_array($secvalue)) {
                if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
                        (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) ||
                        (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
                        (eregi("\"", $secvalue))) {
                        pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','GET Intrusion detection.');
                        Header("Location: index.php");
                }
            }
        }
    }

    //        Lets now sanitize the POST vars
    if ( count($_POST) > 0) {
        foreach ($_POST as $secvalue) {
            if (!is_array($secvalue)) {
                if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue))
                        ) {

                        pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','POST Intrusion detection.');
                        Header("Location: index.php");
                }
             }
        }
    }

    //        Lets now sanitize the COOKIE vars
    if ( count($_COOKIE) > 0) {
        foreach ($_COOKIE as $secvalue) {
            if (!is_array($secvalue)) {
                if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
                        (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) ||
                        (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*img.*\"?[^>]*>", $secvalue))
                        ) {

                        pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','COOKIE Intrusion detection.');
                        Header("Location: index.php");
                }
            }
        }
    }
}
- -31-109---


This functions deletes from input html tags like:

- <script>
- <frame>
- <object>
- <meta>
- <applet>
- <link>
- <iframe>
and
- STYLE=

Ok. But if we sent to script:

# <HTMLTAG?    < Hi

The functions don't find wrong tags.
And browser read this 

"<HTMLTAG?    < Hi"

and change "<" to ">".
Result:

# <HTMLTAG?    > Hi

Bug like in: 
http://securityreason.com/achievement_securityalert/28

- --- 2. XSS ---

2.0 http://[HOST]/[DIR]/user.php?op=edituser&htmltext=[XSS]

2.1 
That some but in Title in "Post Comment".
Try to send title of reply like 

<HTMLTAG <

- --- 3. Bypass Access, Critical SQL Injection, XSS ---
Try to go:

http://[HOST]/[DIR]/admin.php?module=NS-Languages
http://[HOST]/[DIR]/admin.php?module=Banners

and you have access to all options in modules like Languages, Banners. You don't need to be admin!
In module Languages exists more issues.

if magic_quotes_gpc is Off.. You have SQL INJECTION

http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language='SQL INJECTION

Or if On.. xss

http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language=">[XSS]
http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=translation&language=[XSS]

For Security Reason there will be No Official Exploit for Postnuke.

- --- 4. How to fix ---

Download the new version of the script(.762) or update to .762.

- --- 5. Greets ---
Special: sp3x

p_e_a, eax

- --- 6.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFD+NKy3Ke13X/fTO4RAraIAJ49qqD8/2AKKg5OE8Uw5ozbE5KxWQCgnVAL
2Zvpf0c+8dfNsndg8ZXwqto=
=zYaR
-----END PGP SIGNATURE-----

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum