Home page logo

bugtraq logo Bugtraq mailing list archives

Re: PostNuke Sensitive Information Disclosure
From: "Kilmarac Jarov -" <kilmarac () phreaker net>
Date: Thu, 27 Mar 2003 20:28:40 -0500

I must be missing what you are saying to replace 1234 with, as I didnt get
anything but errors.


Deactivating the module only would not be sufficient as the module itself is
still accessible.

I would say that if you want to secure it completely, either remove it from
the modules, or rename it to something unique so that it cant be found.

----- Original Message -----
From: "rkc" <rkc () uncompiled com>
To: <bugtraq () securityfocus com>
Sent: Wednesday, March 26, 2003 6:47 PM
Subject: PostNuke Sensitive Information Disclosure

Title: PostNuke path disclosure, and... (db name).
Version: (other)

A vulnerability have been found in Postnuke (v0.7.2.3-Phoenix) which allow
users to determine the physical path of this cms.

This vulnerability would allow a remote user to determine the full path to
the web root directory and other information, like the database name (!)



Change 1234 by anything.


If you are looking for:

* Path disclosure in & v:
(Two simples examples)



(Change 1234 by anything).




Change the Member_List privileges, for admin's only (?)
Deactivate the Member_List module (?)


Greetz !


Rep. Argentina
StFU, and RtFM !

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]