Hi everyone, this post is 4 weeks after the original information was made available to the developers, allowing time for many effected users to patch and also the developers to fix / check newer versions. --------- rookidd found another set of vulnerabilities in postnuke, this time in version 7.0.3 and bellow. www.postnuke.com This software will allow anyone to produce an interactive website for their users. Sadly, due to the nature of this software, user input validation is not done correctly. This is serious as ALL websites running postnuke prior to todays CVS version are vulnerable. While CSS bugs are well known and wide spread, it seems that many such sites are still falling victim. The particular issues allows a user to craft special URL's by using postnuke.com or any derived website and then force a script enabled browser to run hostile code or other trickeries. It is also possible to steal a users login session details and passwords. Rootkidd can now post this as apparently the software, accoring to the Postnuke developers has been fixed in their latest CVS version, which was created today, 02/03/02. However, many sites using it however are still unpatched. Please update!! There are many more bugs that those that follow. -Example http://one_of_100's_of_sites/modules.php? op=modload&name=<iframe% 20src="http://www.microsoft.com";> <-- this is funny :o) http://one_of_100's_of_sites/index.php? catid=<script>alert (document.cookie)</script> The cookie details are displayed on the page as well as in an alert window which could lead to a users account being compromised. The bellow text will be shown on the web page once run. PHPLive New! alert(document.cookie)&unique=1015076420651 border=0 alt='Click for Live Support!'> We also get some cool information from site that we should not- DB Error: getArticles: 1064: You have an error in your SQL syntax near '= ORDER BY nuke_stories.sid DESC LIMIT 1' at line 23 We also get a fully qualified path to the files we hack, allowing one to guess OS type and other such things. There are many bugs similar to these with pages other than the examples shown. Most people think it is just modules.php but this is NOT the case. This is an example of some other info's that can be retrieved- 22/03/2002,19:32 "Fehler auf /index.php? xcontentmode= -> -> /index.php (linked on ) Datenbankfehler: You have an error in your SQL syntax near 'and scoresum>="30" order by changed desc ' at line 1 Offending command was: select name,id,changed,created,type,user,downloads,score sum,status,preview1,commentscount from content and scoresum>="30" order by changed desc " Error: "" Request:"/index.php?xcontentmode=" Method:"GET" Agent:"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461)" IP:"0.0.0.0" Port:"32069" \n 22/03/2002,19:32 "Fehler auf /index.php? xcontentmode= -> -> /index.php (linked on ) Datenbankfehler: You have an error in your SQL syntax near 'and scoresum>="30" order by changed desc limit 0,10' at line 1 Offending command was: select name,id,changed,created,type,user,downloads,score sum,status,preview1,commentscount from content and scoresum>="30" order by changed desc limit 0,10 " Error: "" Request:"/index.php?xcontentmode=" Method:"GET" Agent:"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461)" IP:"0.0.0.0" Port:"32069" \n Fix- Visit postnuke.com & trollix.com for a patch script, upgrade your postnuke version, use "strip_tags ($Evil_halt, "acceptable html ");", filter unwanted code being passed to the server, add <>, cookie and other such characters / words to your snort config and finaly DISABLE error reporting in php.ini. http://sourceforge.net/tracker/index.php? func=detail&aid=524777&group_id=27927&atid=3922 28 ---- Rootkidd thinks that all php based sites are at risk, have found many bugs with phpnuke that are almost identical, path disclosure, css, csrf, sql statements and many more nice things. This is rootkidd's first post to Bugtraq as always tried to keep bug releases to own site only, have removed site and removed this method of informing people. Thanks, and happy hacking.
