PostNuke Phoenix Download Module Multiple Cross-Site Scripting Vulnerabilities
BID:12685
Info
PostNuke Phoenix Download Module Multiple Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 12685 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 28 2005 12:00AM |
| Updated: | Feb 28 2005 12:00AM |
| Credit: | Discovery of this vulnerability is credited to Maksymilian Arciemowicz. |
| Vulnerable: |
PostNuke Development Team PostNuke Phoenix 0.760 RC2 PostNuke Development Team PostNuke Phoenix 0.750 |
| Not Vulnerable: |
PostNuke Development Team PostNuke Phoenix 0.760 RC3 |
Discussion
PostNuke Phoenix Download Module Multiple Cross-Site Scripting Vulnerabilities
PostNuke is affected by multiple cross-site scripting vulnerabilities. These issues are due to the application failing to properly sanitize user-supplied input.
As a result of these vulnerabilities, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
PostNuke is affected by multiple cross-site scripting vulnerabilities. These issues are due to the application failing to properly sanitize user-supplied input.
As a result of these vulnerabilities, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Exploit / POC
PostNuke Phoenix Download Module Multiple Cross-Site Scripting Vulnerabilities
No exploit is required to leverage these issues.
No exploit is required to leverage these issues.
Solution / Fix
PostNuke Phoenix Download Module Multiple Cross-Site Scripting Vulnerabilities
Solution:
The vendor has addressed this issue in PostNuke 0.760RC3.
PostNuke Development Team PostNuke Phoenix 0.750
PostNuke Development Team PostNuke Phoenix 0.760 RC2
Solution:
The vendor has addressed this issue in PostNuke 0.760RC3.
PostNuke Development Team PostNuke Phoenix 0.750
-
PostNuke Development Team PostNuke Phoenix 0.760RC3
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-4 59.html
PostNuke Development Team PostNuke Phoenix 0.760 RC2
-
PostNuke Development Team PostNuke Phoenix 0.760RC3
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-4 59.html
References
PostNuke Phoenix Download Module Multiple Cross-Site Scripting Vulnerabilities
References:
References:
- PostNuke Homepage (PostNuke Development Team)
- PostNuke Security Advisory PNSA 2005-1 (PostNuke Development Team)
- PostNuke Critical XSS 0.760-RC2=>x cXIb8O3.2 (Maksymilian Arciemowicz