Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Postnuke 0.750 - 0.760rc4 local file inclusion
From: pokley <pokleyzz () scan-associates net>
Date: Mon, 16 May 2005 13:08:03 +0800

Product : Postnuke 0.750 (http://www.postnuke.com)
Description: Postnuke 0.750 - 0.760rc4 local file inclusion
Severity: High

Postnuke is Web Content Management System written in PHP and using mysql
as database backend.


Directory traversal in function pnModFunc

We have found serious vulnerability which allow any user to view/include local file in function pnModFunc. This is due to lack of error checking in function pnModFunc when user supply func through index.php. func variable will sanitize using pnVarCleanFromInput which will remove any slashes before pass to pnModFunc in index.php. This make nullbyte poisoning possible. With the help from pnlang directory in Blocks module this vulnerability is very easy to exploit. Remote code execution also possible with help of 3rd party module which allow image upload or through accesible apache log file.

    } else {

                require_once("modules/$modname/pn$type/$func.php");<-- THE PROBLEM

        return $modfunc($args);

Proof of concept

Fix Available from postnuke cvs since 5th May 2005



Vendor Response
3rd May 2005 - Vendor contacted
4th May 2005 - Vendor Reply
5th May 2005 - Fix Available

Andreas Krapoh from postnuke for fast response in this issue.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]