PostNuke

Flexible Content Management System

News

[ News index page | News categories | News archive ]

PostNuke Security Advisory PNSA 2005-1

Contributed by CVE references:

VULNERABILTIES

- missing input validation within /modules/Modules/pnadmin.php

- missing input validation within /includes/blocks/past.php

- missing output validation within /modules/Downloads/admin.php

- missing input validation within /modules/Downloads/dl-util.php

- missing input validation within /modules/Downloads/dl-search.php

- possible path disclosure within /modules/News/index.php



SOLUTION

It is recommended that all admins do an immediate upgrade of their sites to v0.750 then apply the latest security fix package available from the locations listed below.

Please note the main package has been updated to include this advisory so there is no need to apply this patch if you have downloaded PostNuke after the date of this announcement.



UPDATED PACKAGES

1. PostNuke 0.750 (tar.gz format)

http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-411.html

SIZE: 2410936 Bytes

MD5 checksum: dcb276fa0aae4e22764eb22fd66ccd09

SHA1 checksum: bc8c5ccde62312956f72a144e67efbf65bf82349



2. PostNuke 0.750 (zip format)

http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-410.html

SIZE: 3408707 Bytes

MD5 checksum: f49e17d4040892634c53b9fb5afe650c

SHA1 checksum: 82590102de8b0171993eaf94cc73006ad84ae752



3. Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)

http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-457.html

SIZE: 26990 Bytes

MD5 checksum: 2e654367bda64f8e9944273991997068

SHA1 checksum: fde99e26357003a8fd36aa7fde0da2859dc2c0b5



4. Security Fix (changed files only) for PostNuke 0.750 (.zip format)

http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-458.html

SIZE: 32088 Bytes

MD5 checksum: e8b118732f19aa55d80550f6fe4d0caa

SHA1 checksum: f018e4f1d5339dce4b6a8419ac98a555c89945a2



NEW RELEASES

1. PostNuke 0.760RC3 (tar.gz format)

http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-459.html

SIZE: 2936077 Bytes

MD5 checksum: FE0A655663073F9F68F878359CD459B3

SHA1 checksum: 7DCE900CE0B4A4940AB18143FE2B82FB526DBC89



2. PostNuke 0.760RC3 (zip format)

http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-460.html

SIZE: 4265380 Bytes

MD5 checksum: c2cce796bbf803c7018fa2f4b2891c9f

SHA1 checksum: cb5dc8953a562bcf07bca392dcbe18009942e32c





ADDITIONAL INSTRUCTIONS

Place the files contained in this patch into the appropriate PostNuke directory that replaces the current files because by doing this you are applying the security fix to the system fix and this is what is meant by "patching" your system.

If you would like to receive security updates in the future, please subscribe to the PostNuke security list.

SPECIAL NOTE FOR .760RC3

PostNuke .760RC3 is not recommended for production sites. If performing an upgrade to .760 please review manual.txt carefully. Many of the core system modules are upgraded in this release so the process needs to be followed exactly.





CREDITS

The exploits have been originally found by Maksymilian Arciemowicz from http://www.securityreason.com/ and were reported via security contact.





Andreas Krapohl <larsneo>, PostNuke Development Team

February 28th, 2005
14302
 

Content