Menu
▾
▴
Re: [Envolution-devel] [VulnWatch] Postnuke v 0.723 SQL injection and directory traversing
|
From: TiMax <ma...@em...> - 2003-05-04 12:01:30
|
<html><head><meta name=3D"Generator" content=3D"PocoMail 3 HTML/CSS=
Generator"/>
<style type=3D"text/css"><!--
p{display:block;font-family:"Arial";font-size:10pt;color:blue;mar=
gin:0.00in;text-align:left;}
LI{display:list-item;font-family:"Arial";font-size:0pt;color:blac=
k;margin-top:0.00in;margin-bottom:0.00in;text-align:left;}
td{display:block;font-family:"Arial";font-size:0pt;color:black;ma=
rgin-left:0.00in;margin-right:0.00in;text-align:left;}
--></style>
</head><BODY bgcolor=3D"F4FDFF"=
BGCOLOR=3D"#F4FDFF"><p><SPAN>http://www.envolution.com/modules.php=
?op=3Dmodload&name=3DDownloads&file=3Dindex&req=3Dviewdownloa=
ddetails&lid=3D87&ttitle=3DFix_Sensitive_Information_Disclosu=
re<BR/><BR/></SPAN></p>
<p><SPAN>On Sun, 04 May 2003 13:44:25 +0200, Christoph Schwaeppe=
wrote:</SPAN></p>
<p>>=A0 Please have a look at</p>
<p>>=A0 :<a=
href=3D"http://www.securitytracker.com/alerts/2003/Mar/1006256.htm=
l">http://www.securitytracker.com/alerts/2003/Mar/1006256.html</a=
></p>
<p>></p>
<p>>=A0 Several vulnerabilities were reported in PostNuke. A=
remote user can</p>
<p>>=A0 inject SQL commands to be executed by the underlying=
database server. A</p>
<p>>=A0 remote user can also execute any PHP code located on the=
server.</p>
<p>></p>
<p>>=A0 =A0SCAN Associates reported that there is an input=
validation flaw in the</p>
<p>>=A0 Members_List module in the $sortby variable. A remote=
user can inject</p>
<p>>=A0 SQL commands to be executed in that variable. A=
demonstration exploit</p>
<p>>=A0 URL is provided:</p>
<p>></p>
<p>>=A0 <a=
href=3D"http://[target]/modules.php?op=3Dmodload&name=3DMembers_List&f=
ile=3Dindex&">http://[target]/modules.php?op=3Dmodload&name=3DMembe=
rs_List&file=3Dindex&</a>;</p>
<p>>=A0 letter=3D[username]&sortby=3D[sqlquery]</p>
<p>></p>
<p>>=A0 It is also reported that a remote user can supply a=
specially crafted</p>
<p>>=A0 file name composed of directory traversal characters=
('../') to the</p>
<p>>=A0 $theme variable to include arbitrary files located on=
the target server.</p>
<p>>=A0 A remote user can cause any file on the target server=
that is readable</p>
<p>>=A0 by the web server to be included and, if it contains PHP=
code, to be</p>
<p>>=A0 executed by the target server. The executed PHP code=
will run with the</p>
<p>>=A0 privileges of the web server. A demonstration exploit=
URL is provided:</p>
<p>></p>
<p>>=A0 <a=
href=3D"http://[target]/index.php?theme=3D../../../../../../../../tm=
p">http://[target]/index.php?theme=3D../../../../../../../../tmp</a=
></p>
<p>></p>
<p>></p>
<p>></p>
<p>>=A0 =A0Impact: =A0A remote user can inject SQL commands to be=
executed by the</p>
<p>>=A0 underlying SQL database. A remote user can execute=
arbitrary PHP code,</p>
<p>>=A0 including operating system commands, on the target=
server with the</p>
<p>>=A0 privileges of the target web server.</p>
<p>></p>
<p>></p>
<p>></p>
<p>>=A0 =A0Solution: =A0The vendor has released a security fix for=
version 0.723,</p>
<p>>=A0 available as described below.</p>
<p>></p>
<p>></p>
<p>></p>
<p>></p>
<p>>=A0=
-------------------------------------------------------</p>
<p>>=A0 This sf.net email is sponsored by:ThinkGeek</p>
<p>>=A0 Welcome to geek heaven.</p>
<p>>=A0 <a=
href=3D"http://thinkgeek.com/sf">http://thinkgeek.com/sf</a></p>
<p>>=A0 _______________________________________________</p>
<p>>=A0 Envolution-devel mailing list</p>
<p>>=A0 Env...@li...</p>
<p>>=A0 <a=
href=3D"https://lists.sourceforge.net/lists/listinfo/envolution-de=
vel">https://lists.sourceforge.net/lists/listinfo/envolution-deve=
l</a><SPAN><BR/></SPAN></p>
</body></html>
|
