[Multiple vulnerabilities in PostNuke 0.760-RC4b=>x cXIb8O3.15] Author: Maksymilian Arciemowicz ( cXIb8O3 ) Date: 22.8.2005 from SECURITYREASON.COM - --- 0.Description --- PostNuke: The Phoenix Release (0.750) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Sql injection in Download --- This sql injection is non critical because exploit works only with admin rights (mysql). The problem is in "modules/Downloads/dl-viewdownload.php". - -------- if ($show!="") { $perpage = $show; } else { $show=$perpage; } ... $result =& $dbconn->SelectLimit($sql,$perpage,$min); - -------- varible $perpage. So http://[HOST]/[DIR]/index.php?name=Downloads&req=viewdownload&cid=1&show=[SQL%20INJECTION] - --- 2. XSS --- 2.0 http://[HOST]/[DIR]/index.php?module=Comments&req=moderate&moderate=<center><h1>xss 2.1 http://cxib.server/PostNuke-0.760-RC4b/html/user.php?op=edituser&htmltext=<h1>xss - --- 3. How to fix --- Download the new version of the script or update. - --- 4.Contact --- Author: Maksymilian Arciemowicz