Source: http://securityreason.com/achievement_securityalert/33

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Multiple vulnerabilities in PostNuke <= 0.761]

SecurityAlert SA033

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 19.2.2006
from SecurityReason.Com

- --- 0.Description ---

PostNuke: The Phoenix Release (0.761)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


- --- 1. Bypass pnVarCleanFromInput() and pnAntiCracker ---

In PostNuke is function pnVarCleanFromInput() (file includes/pnAPI.php).

- -419-515---
function pnVarCleanFromInput()
{
    // Create an array of bad objects to clean out of input variables
    $search = array('|</?\s*SCRIPT.*?>|si',
                    '|</?\s*FRAME.*?>|si',
                    '|</?\s*OBJECT.*?>|si',
                    '|</?\s*META.*?>|si',
                    '|</?\s*APPLET.*?>|si',
                    '|</?\s*LINK.*?>|si',
                    '|</?\s*IFRAME.*?>|si',
                    '|STYLE\s*=\s*"[^"]*"|si');

    // Create an empty array that will be used to replace any malacious code
    $replace = array('');
...
- -419-515---

and function pnSecureInput() (file includes/pnAntiCracker.php).

- -31-109---
function pnSecureInput()
{
    // Cross-Site Scripting attack defense - Sent by larsneo
    // some syntax checking against injected javascript
    // extended by Neo

    if (count($_GET) > 0) {
        //        Lets now sanitize the GET vars
        foreach ($_GET as $secvalue) {
            if (!is_array($secvalue)) {
                if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
                        (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", 
$secvalue)) ||
                        (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
                        (eregi("\"", $secvalue))) {
                        pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity 
Alert','GET Intrusion detection.');
                        Header("Location: index.php");
                }
            }
        }
    }

    //        Lets now sanitize the POST vars
    if ( count($_POST) > 0) {
        foreach ($_POST as $secvalue) {
            if (!is_array($secvalue)) {
                if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue))
                        ) {

                        pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity 
Alert','POST Intrusion detection.');
                        Header("Location: index.php");
                }
             }
        }
    }

    //        Lets now sanitize the COOKIE vars
    if ( count($_COOKIE) > 0) {
        foreach ($_COOKIE as $secvalue) {
            if (!is_array($secvalue)) {
                if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
                        (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", 
$secvalue)) ||
                        (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
                        (eregi("<[^>]*img.*\"?[^>]*>", $secvalue))
                        ) {

                        pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity 
Alert','COOKIE Intrusion detection.');
                        Header("Location: index.php");
                }
            }
        }
    }
}
- -31-109---


This functions deletes from input html tags like:

	- <script>
	- <frame>
	- <object>
	- <meta>
	- <applet>
	- <link>
	- <iframe>
and
	- STYLE=

Ok. But if we sent to script:

# <HTMLTAG?    < Hi

The functions don't find wrong tags.
And browser read this 

"<HTMLTAG?    < Hi"

and change "<" to ">".
Result:

# <HTMLTAG?    > Hi

Bug like in: 
http://securityreason.com/achievement_securityalert/28

- --- 2. XSS ---

2.0 http://[HOST]/[DIR]/user.php?op=edituser&htmltext=[XSS]

2.1 
That some but in Title in "Post Comment".
Try to send title of reply like 

<HTMLTAG <

- --- 3. Bypass Access, Critical SQL Injection, XSS ---
Try to go:

http://[HOST]/[DIR]/admin.php?module=NS-Languages
http://[HOST]/[DIR]/admin.php?module=Banners

and you have access to all options in modules like Languages, Banners. You 
don't need to be admin!
In module Languages exists more issues.

if magic_quotes_gpc is Off.. You have SQL INJECTION

http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language='SQL 
INJECTION

Or if On.. xss

http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language=">[XSS]
http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=translation&language=[XSS]

For Security Reason there will be No Official Exploit for Postnuke.

- --- 4. How to fix ---

Download the new version of the script(.762) or update to .762.

- --- 5. Greets ---
Special: sp3x

p_e_a, eax

- --- 6.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFD+NKy3Ke13X/fTO4RAraIAJ49qqD8/2AKKg5OE8Uw5ozbE5KxWQCgnVAL
2Zvpf0c+8dfNsndg8ZXwqto=
=zYaR
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/