I must be missing what you are saying to replace 1234 with, as I didnt get anything but errors. However, Deactivating the module only would not be sufficient as the module itself is still accessible. I would say that if you want to secure it completely, either remove it from the modules, or rename it to something unique so that it cant be found. ----- Original Message ----- From: "rkc" <rkc@uncompiled.com> To: <bugtraq@securityfocus.com> Sent: Wednesday, March 26, 2003 6:47 PM Subject: PostNuke Sensitive Information Disclosure > Title: PostNuke path disclosure, and... (db name). > Version: 0.7.2.3-Phoenix (other) > Problem: > > A vulnerability have been found in Postnuke (v0.7.2.3-Phoenix) which allow > users to determine the physical path of this cms. > > This vulnerability would allow a remote user to determine the full path to > the web root directory and other information, like the database name (!) > > > Example: > > http://www.target.com/modules.php?op=modload&name=Members_List&file=index&le > tter=All&sortby=uname1234 > > Change 1234 by anything. > > > ----- > > If you are looking for: > > * Path disclosure in 0.7.2.2 & 0.7.2.1 v: > (Two simples examples) > > http://www.target.com/modules.php?op=modload&name=Stats&file= > > http://www.target.com/modules.php?op=modload&name=Members_List&file=index&le > tter=Svi&sortby=uname1234 > > (Change 1234 by anything). > > (not.always) > > ----- > > Solutions: > > Change the Member_List privileges, for admin's only (?) > Deactivate the Member_List module (?) > > ----- > > > Greetz ! > > > rkc > > ~ > Rep. Argentina > 6765656B207374796C65 > StFU, and RtFM ! --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
