-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [Multiple vulnerabilities in PostNuke 0.760-RC4b=>x cXIb8O3.15] Author: Maksymilian Arciemowicz ( cXIb8O3 ) Date: 12.6.2005 from SECURITYREASON.COM - --- 0.Description --- PostNuke: The Phoenix Release (0.750) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Sql injection in Download --- This sql injection is non critical because exploit works only with admin rights (mysql). The problem is in "modules/Downloads/dl-viewdownload.php". - -------- if ($show!="") { $perpage = $show; } else { $show=$perpage; } ... $result =& $dbconn->SelectLimit($sql,$perpage,$min); - -------- varible $perpage. So http://[HOST]/[DIR]/index.php?name=Downloads&req=viewdownload&cid=1&show=[SQL%20INJECTION] - --- 2. XSS --- 2.0 http://[HOST]/[DIR]/index.php?module=Comments&req=moderate&moderate=

xss 2.1 http://cxib.server/PostNuke-0.760-RC4b/html/user.php?op=edituser&htmltext=

xss - --- 3. How to fix --- Download the new version of the script or update. - --- 4. Greets --- sp3x - --- 5.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: securityreason.com TEAM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCvRTRznmvyJCR4zQRAkRkAKCdKjGrMWgQq1lLjbIp3js1DPE3BACgp9qa WN+5aC9o2/MLUjE1mKYzRP0= =TYkF -----END PGP SIGNATURE-----