[PNSA 2004-2] PostNuke Security Advisory PNSA 2004-2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




---------------------------------------------------------------------------
 PostNuke Security Advisory PNSA 2004-2                          Mark West
 http://www.postnuke.com/
 April 17th, 2004
 For contacts: http://news.postnuke.com/index.php?module=vpContact
--------------------------------------------------------------------------- 

Vulnerability : SQL injection in Comments and Your_Account modules.
   Relevant releases: 7.2.2+


   DESCRIPTION
   PostNuke is a weblog/Content Management System (CMS). It is far more
secure
   and stable than competing products, and able to work in high-volume
   environments with ease.

   Vulnerable versions can be exploited through SQL injection from the
   Comments and Your_Account modules included in the core package.


SOLUTION
   It is recommended that all admins upgrade their sites to v7.2.6-2 or
apply
   the latest security fix package for v7.2.6 available right now from the
locations
   listed below.


   For security updates notifications:
   http://lists.postnuke.com/mailman/listinfo/postnuke-security


REFERENCES
   Full advisory available at http://secunia.com/advisories/11386/ and
   http://security.nnov.ru/search/document.asp?docid=6081.


UPDATED PACKAGES
 1. PostNuke Phoenix 0.726-2 (.tar.gz format)
   http://downloads.postnuke.com/pafiledb.php?action=file&id=53
   Size/MD5 checksum: 1624780 11d190c28e334b07f02ef409c49edcab

 2. PostNuke Phoenix 0.726-2 (.zip format)
   http://downloads.postnuke.com/pafiledb.php?action=file&id=54
   Size/MD5 checksum: 2346947 52301c8f8c87a82c855f451d148684d9

 3. Patch for PostNuke 0.726 (.tar.gz format)
   http://downloads.postnuke.com/pafiledb.php?action=file&id=51
   Size/MD5 checksum: 27723 8b4316c35d9b3e34f1df9f740cfee0a3

 4. Patch for PostNuke 0.726 (.zip format)
   http://downloads.postnuke.com/pafiledb.php?action=file&id=52
   Size/MD5 checksum: 32760 70b2bf8e7f2025a094d7f11f6a4f7bf3


   ADDITIONAL INSTRUCTIONS
   Just replace the files contained in this patch into your PostNuke
directory
   to have your system patched.


   Please note the main package and XTE RC3 release (which contains a file
from
   the comments module) have been updated to include this advisory so there
is
   no need to apply this patch if you have download PostNuke or XTE after
the
   date of this announcement.


   CREDITS
   This exploit has been originally found by pokleyzz, SCAN Associates

[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux