Flexible Content Management System


PostNuke Security Advisory PNSA 2005-2

Contributed by CVE references:


- various missing input validations within /modules/Xanthia/ [1]

- missing input validation within /modules/Messages/readpmsg.php [1]

- possible path disclosure within /user.php [2]

- possible path disclosure within /modules/News/article.php [2]

- possible remote code injection within /includes/pnMod.php [3]

- possible cross-site-scripting in /index.php


It is recommended that all admins do an immediate upgrade of their sites to v0.750b by applying the latest security fix package available from the locations listed below. Since the Xanthia-module will be updated the site's theme needs to be set to ExtraLite (or any other non-Xanthia theme) prior to applying the update. After uploading the fixpackage the modules list needs to be regenerated and the Xanthia module upgraded within Administration-Modules.

Please note the main package has been updated to include this advisory so there is no need to apply this patch if you have downloaded PostNuke after the date of this announcement.

The /index.php and /includes/pnMod.php fixes are also available for the current .760rc4a Release Candidate within the changed files only package, the main package has also been updated with the fixes.


1. PostNuke 0.750 (tar.gz format)

SHA1: 60ef6f7c93cfa638fc7d089e078db0eaa59f95b4

MD5: c40ebc31cfa3ada351dbe63f4e9a6255

Size: 2407332 Bytes

2. PostNuke 0.750 (zip format)

SHA1: 50edfbb3c12bed0b80413d421d1a90ff28ed0c22

MD5: 26dc0202c776f7463008c54ce8cf89b9

Size: 3501230 Bytes

3. Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)

SHA1: 6e76d92124c833618d02dfdb87d699374120967d

MD5: a007e741be11389a986b1d8928a6c0e5

Size: 160550 Bytes

4. Security Fix (changed files only) for PostNuke 0.750 (.zip format)

SHA1: d504155418ab6d07491b3a6c0d18834fe20bbefd

MD5: e472c9917e2ff237b354bdc87838c504

Size: 247175 Bytes


The [1] exploits have been originally found by Maksymilian Arciemowicz from and were reported via security contact. The path disclosure issues [2] were found by 'Diabolic Crac' and reported to various trackers. The remote code injection [3] was reported by Mohamad Saleh Raub from to the security contact.

Andreas Krapohl <larsneo>

PostNuke Development Team