TUCoPS :: Web :: PHP :: web5209.htm

PostNuke various vulns
25th Mar 2002 [SBWID-5209]
COMMAND

	PostNuke various vulns

SYSTEMS AFFECTED

	PostNuke .7.0.3

PROBLEM

	rootkidd \'Scott\', reported the followin problems :
	

	

	http://one_of_100\'s_of_sites/modules.php?op=modload&name=<iframe%20src=\"http://www.microsoft.com\"> <-- this is funny :o)

	

	

	http://one_of_100\'s_of_sites/index.php?catid=<script>alert(document.cookie)</script>

	

	The cookie details are displayed on the page as  well  as  in  an  alert
	window which could lead to a users account being compromised.
	

	The bellow text will be shown on the web page once run.
	

	PHPLive New! 

	alert(document.cookie)&unique=1015076420651 

	border=0 

	alt=\'Click for Live Support!\'> 

	

	We also get some cool information from site that we should not-
	

	DB Error: getArticles: 1064: You have an error in your 

	SQL syntax near \'= ORDER BY nuke_stories.sid 

	DESC 

	LIMIT 1\' at line 23 

	

	We also get a fully qualified path to the files we  hack,  allowing  one
	to guess OS type and other such things.
	

	There are many bugs similar to these with pages other than the  examples
	shown. Most people think it is just modules.php  but  this  is  NOT  the
	case.
	

	This is an example of some other info\'s that can be retrieved-
	

	22/03/2002,19:32 \"Fehler auf /index.php?

	xcontentmode= -> -> /index.php (linked on ) 

	Datenbankfehler: You have an error in your SQL 

	syntax near \'and scoresum>=\"30\" order by changed 

	desc \' at line 1 Offending command was: select 

	name,id,changed,created,type,user,downloads,score

	sum,status,preview1,commentscount from content 

	and scoresum>=\"30\" order by changed desc \" 

	Error: \"\" Request:\"/index.php?xcontentmode=\" 

	Method:\"GET\" Agent:\"Mozilla/4.0 (compatible; MSIE 

	6.0; Windows NT 5.0; T312461)\" IP:\"0.0.0.0\" 

	Port:\"32069\" \\n

	

	22/03/2002,19:32 \"Fehler auf /index.php?

	xcontentmode= -> -> /index.php (linked on ) 

	Datenbankfehler: You have an error in your SQL 

	syntax near \'and scoresum>=\"30\" order by changed 

	desc limit 0,10\' at line 1 Offending command was: 

	select 

	name,id,changed,created,type,user,downloads,score

	sum,status,preview1,commentscount from content 

	and scoresum>=\"30\" order by changed desc limit 

	0,10 \" Error: \"\" Request:\"/index.php?xcontentmode=\" 

	Method:\"GET\" Agent:\"Mozilla/4.0 (compatible; MSIE 

	6.0; Windows NT 5.0; T312461)\" IP:\"0.0.0.0\" 

	Port:\"32069\" \\n

	

SOLUTION

	 Patch

	 =====

	

	Newer .7.10 version is vulnerable to css and csrf bugs  in  some  manner
	or another. Other bugs are patched.
	

	Also  use  \"strip_tags($Evil_halt,  \"acceptable  html  \");\",  filter
	unwanted code being passed to the server, add <>,  cookie  and  other
	such characters / words to your snort config and  finaly  DISABLE  error
	reporting in php.ini.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH