Press CTRL-D to bookmark us
Welcome Guest Login / Register / Members
Search in  
Top Submit newsSubscribe
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
 

 Sponsored links

Want to become one of our authors and see your work published on ALLSeek.iNFO ?
 
 PostNuke Input Validation Holes in 'pnadmin', 'dl-util', 'dl-search' and Other Scripts Let Remote Users Inject SQL Commands
Categorie: Vulnerability
Posted: 2005-03-02 by ReCall
Views: 525
Source: Click here
 		Current Rating: Not rated
Poor Best
 Details
Description: Andreas Krapohl from the PostNuke Development Team reported some input validation vulnerabilities in PostNuke. A remote user can inject SQL commands.

Several modules do not properly validate user-supplied input. A remote user can supply specially crafted values to execute SQL commands on the underlying database. Affected modeuls include:

/modules/Modules/pnadmin.php
/includes/blocks/past.php
/modules/Downloads/dl-util.php
/modules/Downloads/dl-s earch.php

The '/modules/Downloads/admin.php' does not properly validate output. The impact was not specified.

A remote user may be able to cause '/modules/News/index.php' to disclose the installation path.

Maksymilian Arciemowicz of securityreason.com is credited with discovering these vulnerabilities.

Impact: A remote user can execute arbitrary SQL commands on the underlying database.

A remote user may be able to determine the installation path.

Solution: The vendor has provided the following fixes [quoted]:

UPDATED PACKAGES
1. PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-411.html
SIZE: 2410936 Bytes
MD5 checksum: dcb276fa0aae4e22764eb22fd66ccd09
SHA1 checksum: bc8c5ccde62312956f72a144e67efbf65bf82349

2. PostNuke 0.750 (zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-410.html
SIZE: 3408707 Bytes
MD5 checksum: f49e17d4040892634c53b9fb5afe650c
SHA1 checksum: 82590102de8b0171993eaf94cc73006ad84ae752

3. Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-457.html
SIZE: 26990 Bytes
MD5 checksum: 2e654367bda64f8e9944273991997068
SHA1 checksum: fde99e26357003a8fd36aa7fde0da2859dc2c0b5

4. Security Fix (changed files only) for PostNuke 0.750 (.zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-458.html
SIZE: 32088 Bytes
MD5 checksum: e8b118732f19aa55d80550f6fe4d0caa
SHA1 checksum: f018e4f1d5339dce4b6a8419ac98a555c89945a2

NEW RELEASES
1. PostNuke 0.760RC3 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-459.html
SIZE: 2933473 Bytes
MD5 checksum: b0bbd2649a027cf20f603ff26d17c392
SHA1 checksum: 5efd53cabd9f069320d2b157be9dc463fbc9d1cf

2. PostNuke 0.760RC3 (zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-460.html
SIZE: 4265380 Bytes
MD5 checksum: c2cce796bbf803c7018fa2f4b2891c9f
SHA1 checksum: cb5dc8953a562bcf07bca392dcbe18009942e32c
 
Syndication
Permalink Email this

The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1394

User comments (post your comments here)

Only registerd members can post comments and articles
 
Previous articleBack to news listNext article
 


InterJOB.su
Bookmark us | Set As Homepage | Advertising | Contact Us | Recomend us | Link us | Links | Terms

SpyLOG Page Rank Checker
LAST QUERIES