Flexible Content Management System


PostNuke Blocks Module "func" Directory Traversal Vulnerability

Contributed by on May 19, 2005 - 11:23 PM

This flaw is due to an input validation error in the Blocks Module when handling a specially crafted "func" variable containing "..\" sequences, which may be exploited remotely to conduct directory traversal attacks.


* Affected Products *

PostNuke version 0.76-RC4 and prior

* Solution *

Patches are available via CVS :

2005-05-17 : Original Advisory


This was found by my webhost and posted to my webhost's support/security forums two days ago. I just found it today. The changelogs above have a number of changes in them.

To Admin: Is this worth making a deal over?
Footnote: 1