[Multiple vulnerabilities in PostNuke <= 0.761] Author: Maksymilian Arciemowicz Date: 19.2.2006 - --- 0.Description --- PostNuke: The Phoenix Release (0.761) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Bypass pnVarCleanFromInput() and pnAntiCracker --- In PostNuke is function pnVarCleanFromInput() (file includes/pnAPI.php). - -419-515--- function pnVarCleanFromInput() { // Create an array of bad objects to clean out of input variables $search = array('|</?\s*SCRIPT.*?>|si', '|</?\s*FRAME.*?>|si', '|</?\s*OBJECT.*?>|si', '|</?\s*META.*?>|si', '|</?\s*APPLET.*?>|si', '|</?\s*LINK.*?>|si', '|</?\s*IFRAME.*?>|si', '|STYLE\s*=\s*"[^"]*"|si'); // Create an empty array that will be used to replace any malacious code $replace = array(''); ... - -419-515--- and function pnSecureInput() (file includes/pnAntiCracker.php). - -31-109--- function pnSecureInput() { // Cross-Site Scripting attack defense - Sent by larsneo // some syntax checking against injected javascript // extended by Neo if (count($_GET) > 0) { // Lets now sanitize the GET vars foreach ($_GET as $secvalue) { if (!is_array($secvalue)) { if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) || (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) || (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) || (eregi("\"", $secvalue))) { pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','GET Intrusion detection.'); Header("Location: index.php"); } } } } // Lets now sanitize the POST vars if ( count($_POST) > 0) { foreach ($_POST as $secvalue) { if (!is_array($secvalue)) { if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ) { pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','POST Intrusion detection.'); Header("Location: index.php"); } } } } // Lets now sanitize the COOKIE vars if ( count($_COOKIE) > 0) { foreach ($_COOKIE as $secvalue) { if (!is_array($secvalue)) { if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) || (eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) || (eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) ) { pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','COOKIE Intrusion detection.'); Header("Location: index.php"); } } } } } - -31-109--- This functions deletes from input html tags like: - <script> - <frame> - <object> - <meta> - <applet> - <link> - <iframe> and - STYLE= Ok. But if we sent to script: # <HTMLTAG? < Hi The functions don't find wrong tags. And browser read this "<HTMLTAG? < Hi" and change "<" to ">". Result: # <HTMLTAG? > Hi - --- 2. XSS --- 2.0 http://[HOST]/[DIR]/user.php?op=edituser&htmltext=[XSS] 2.1 That some but in Title in "Post Comment". Try to send title of reply like <HTMLTAG < - --- 3. Bypass Access, Critical SQL Injection, XSS --- Try to go: http://[HOST]/[DIR]/admin.php?module=NS-Languages http://[HOST]/[DIR]/admin.php?module=Banners and you have access to all options in modules like Languages, Banners. You don't need to be admin! In module Languages exists more issues. if magic_quotes_gpc is Off.. You have SQL INJECTION http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language='SQL INJECTION Or if On.. xss http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language=">[XSS] http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=translation&language=[XSS] For Security Reason there will be No Official Exploit for Postnuke. - --- 4. How to fix --- Download the new version of the script(.762) or update to .762. - --- 5. Greets --- p_e_a, eax - --- 6.Contact --- Author: Maksymilian Arciemowicz