[Multiple vulnerabilities in PostNuke <= 0.761]
Author: Maksymilian Arciemowicz
Date: 19.2.2006
- --- 0.Description ---
PostNuke: The Phoenix Release (0.761)
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/
- --- 1. Bypass pnVarCleanFromInput() and pnAntiCracker ---
In PostNuke is function pnVarCleanFromInput() (file includes/pnAPI.php).
- -419-515---
function pnVarCleanFromInput()
{
// Create an array of bad objects to clean out of input variables
$search = array('|</?\s*SCRIPT.*?>|si',
'|</?\s*FRAME.*?>|si',
'|</?\s*OBJECT.*?>|si',
'|</?\s*META.*?>|si',
'|</?\s*APPLET.*?>|si',
'|</?\s*LINK.*?>|si',
'|</?\s*IFRAME.*?>|si',
'|STYLE\s*=\s*"[^"]*"|si');
// Create an empty array that will be used to replace any malacious code
$replace = array('');
...
- -419-515---
and function pnSecureInput() (file includes/pnAntiCracker.php).
- -31-109---
function pnSecureInput()
{
// Cross-Site Scripting attack defense - Sent by larsneo
// some syntax checking against injected javascript
// extended by Neo
if (count($_GET) > 0) {
// Lets now sanitize the GET vars
foreach ($_GET as $secvalue) {
if (!is_array($secvalue)) {
if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
(eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) ||
(eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
(eregi("\"", $secvalue))) {
pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','GET Intrusion detection.');
Header("Location: index.php");
}
}
}
}
// Lets now sanitize the POST vars
if ( count($_POST) > 0) {
foreach ($_POST as $secvalue) {
if (!is_array($secvalue)) {
if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*\"?[^>]*>", $secvalue))
) {
pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','POST Intrusion detection.');
Header("Location: index.php");
}
}
}
}
// Lets now sanitize the COOKIE vars
if ( count($_COOKIE) > 0) {
foreach ($_COOKIE as $secvalue) {
if (!is_array($secvalue)) {
if ((eregi("<[^>]*script.*\"?[^>]*>", $secvalue)) ||
(eregi(".*[[:space:]](or|and)[[:space:]].*(=|like).*", $secvalue)) ||
(eregi("<[^>]*object.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img.*\"?[^>]*>", $secvalue))
) {
pnMailHackAttempt('pnAntiCracker',__LINE__,'pnSecurity Alert','COOKIE Intrusion detection.');
Header("Location: index.php");
}
}
}
}
}
- -31-109---
This functions deletes from input html tags like:
- <script>
- <frame>
- <object>
- <meta>
- <applet>
- <link>
- <iframe>
and
- STYLE=
Ok. But if we sent to script:
# <HTMLTAG? < Hi
The functions don't find wrong tags.
And browser read this
"<HTMLTAG? < Hi"
and change "<" to ">".
Result:
# <HTMLTAG? > Hi
- --- 2. XSS ---
2.0 http://[HOST]/[DIR]/user.php?op=edituser&htmltext=[XSS]
2.1
That some but in Title in "Post Comment".
Try to send title of reply like
<HTMLTAG <
- --- 3. Bypass Access, Critical SQL Injection, XSS ---
Try to go:
http://[HOST]/[DIR]/admin.php?module=NS-Languages
http://[HOST]/[DIR]/admin.php?module=Banners
and you have access to all options in modules like Languages, Banners. You don't need to be admin!
In module Languages exists more issues.
if magic_quotes_gpc is Off.. You have SQL INJECTION
http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language='SQL INJECTION
Or if On.. xss
http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=missing&language=">[XSS]
http://[HOST]/[DIR]/admin.php?module=NS-Languages&op=translation&language=[XSS]
For Security Reason there will be No Official Exploit for Postnuke.
- --- 4. How to fix ---
Download the new version of the script(.762) or update to .762.
- --- 5. Greets ---
p_e_a, eax
- --- 6.Contact ---
Author: Maksymilian Arciemowicz