--------------------------------------------------------------------------- PostNuke Security Advisory PNSA 2004-2 Mark West http://www.postnuke.com/ April 17th, 2004 For contacts: http://news.postnuke.com/index.php?module=vpContact --------------------------------------------------------------------------- Vulnerability : SQL injection in Comments and Your_Account modules. Relevant releases: 7.2.2+ DESCRIPTION PostNuke is a weblog/Content Management System (CMS). It is far more secure and stable than competing products, and able to work in high-volume environments with ease. Vulnerable versions can be exploited through SQL injection from the Comments and Your_Account modules included in the core package. SOLUTION It is recommended that all admins upgrade their sites to v7.2.6-2 or apply the latest security fix package for v7.2.6 available right now from the locations listed below. For security updates notifications: http://lists.postnuke.com/mailman/listinfo/postnuke-security REFERENCES Full advisory available at http://secunia.com/advisories/11386/ and http://security.nnov.ru/search/document.asp?docid=6081. UPDATED PACKAGES 1. PostNuke Phoenix 0.726-2 (.tar.gz format) http://downloads.postnuke.com/pafiledb.php?action=file&id=53 Size/MD5 checksum: 1624780 11d190c28e334b07f02ef409c49edcab 2. PostNuke Phoenix 0.726-2 (.zip format) http://downloads.postnuke.com/pafiledb.php?action=file&id=54 Size/MD5 checksum: 2346947 52301c8f8c87a82c855f451d148684d9 3. Patch for PostNuke 0.726 (.tar.gz format) http://downloads.postnuke.com/pafiledb.php?action=file&id=51 Size/MD5 checksum: 27723 8b4316c35d9b3e34f1df9f740cfee0a3 4. Patch for PostNuke 0.726 (.zip format) http://downloads.postnuke.com/pafiledb.php?action=file&id=52 Size/MD5 checksum: 32760 70b2bf8e7f2025a094d7f11f6a4f7bf3 ADDITIONAL INSTRUCTIONS Just replace the files contained in this patch into your PostNuke directory to have your system patched. Please note the main package and XTE RC3 release (which contains a file from the comments module) have been updated to include this advisory so there is no need to apply this patch if you have download PostNuke or XTE after the date of this announcement. CREDITS This exploit has been originally found by pokleyzz, SCAN Associates