PostNuke
Flexible Content Management System
Site search
Search results
Number of hits: 13
- Security Announcement: PostSchedule 1.0.5 SQL injection vulnerability (News)
-
For .764 PGCalender or PostCalendar might be a solution, when using .8 crpcalendar, Eventliner or TimeIt may be worth to look at.
We do not support PostSchedule with this fix, you use it on you own risk. It may (or may not) fix the recent exploit, but there might be others in the code. If someone wants to have closer look at it, feel free.
Generated on April 29, 2008. - Development Update, November 2006-05 (News)
-
New teamlist member: Ammodump
Ammodump was asked to join the team. As quoted from his introduction in the team: "I enjoy being a community member, and that often my comments hold weight. Sometimes my comments and advice are misguided, but sometimes it is hard to understand others questions ;-) ". With two main hobbies (PN and beer), Ammodump seems to be born for the support team here at the community website.
Remote code injection problem
As some people already know, there is a remote code injection problem with the language parameter as mentioned in the Feedback Forum. Both the .7 and the .8 versions have been updated to fix this security vulnerability, so everybody is urged to upgrade their PostNuke version to the latest release (see also Release Announcement). Some background information: The FormUtil::getPassedValue() function also accepts an input vector GETPOST now. It allows to ensure that the contents of _COOKIE are not taken into account when you get data (as it would be when you go through _REQUEST). The input domain is limited to _GET and _POST and not through _REQUEST / _COOKIE anymore. This is applied firstly to the newlang and thistheme parameters, and has been (and will be) applied to the rest of the core functions additionally.
Session handling
Some features have been added to the session handling in the core system:
Session id regeneration (random and on login/logout), making it even more difficult to hijack a session. This has been achieved without any extra writes to the database, so the feature has no overheads.
The ability to rename the session variable (always was POSTNUKESID), and changing from session file storage to session db storage has been enhanced.
Auth-id check to the user login screen (and block) - this has introduced a login bug which has been entered into the bug tracker and will be fixed by the release of MS3.
The session regeneration options are available in the (upgraded) Settings module.
Also fixed for both the 0.764 release as well as the 0.8 release are some PHP >= 5.2.0 issues due to session handling (See the forums, credits to fredatwork). It seems to solve the problems with PostNuke installations running on 5.2.0 or higher.
Minimum MySQL and PHP versions
The minimum version for MySQL has been raised to 4.1.x, due to some installer problems that are related to old 3.x databases. See also MySQL's lifetime philosophy at Planet MySQL. Due to security reasons, the recommended minimum php-version is at least 4.3.10.
Installer
Now fixed are some install problems with register_globals ON. In addition, there has been added a check for register_globals at the .76x install process for information only. The installation of PostNuke on these environments is nevertheless still possible. Sync with the .8 installer is to be done.
System and core modules
The internal variables statusmsg and errormsg are now arrays: it is now possible to capture (and display) multiple errors. Therefore, pnGetStatusMsg() is renamed to pnGetStatusMsgs() and LogUtil::getStatusMessagesText().
Float handling returns from Ajax has been discussed within the team. It appears that floats in the Non-US locales did not correctly set the decimal delimiters. Therefore, the locale has been set to en_US to ensure this. A solution for writing floats to the DB is still pending.
Robert has added the encryption / decryption methods, using the mcrypt library function, for use in the API.
In the Theme module, the plugins for showing the sitename, slogan and complete title have been altered to use multilanguage support.
The Settings module has some nice dynamic interface elements added to the Security and General function types, increasing useability in this one.
The magic_quotes_gpc recommendation for .8 has been changed. It should be off in stead of on. According to php security group, this feature is inconsistent in blocking attacks, and can in some cases cause data loss with uploaded files. Besides the revert of magic_quotes_gpc recommendation, the SysInfo module now also checks for allow_url_include (new in PHP 5.2) and the suhosin patch/extension.
Finally, all variables retrieved through FormUtil::getPassedValue() are now cached
ValueAddons modules
The Pages module now displays the category that each page belongs to in the overview.
The Error module (or Error handler, where error pages within PostNuke are handled) has been undergoing some changes. System errors, forbidden / not-found errors and specific API errors have their own templates and level of error reporting. A no-auth error will result in a more suitable 403 response rather than a 200-response with a status message. As a result, a lot of code has been altered to correctly use the new Log- and Error message handling.
The Wiki module has been renamed to more suitable 'Wiki_Code', as this module is a transform hook to enable Wiki formatting in content items.
The ExampleObj module has been reviewed, revised and updated by Robert. It should serve as a good example for any module writersGenerated on November 20, 2006. - PNSA 2006-2 - Downloads Module "hits" SQL Injection Vulnerability (News)
-
Severity
Less critical
Impact
Manipulation of data
Vulnerabilities
SQL Injection Vulnerability (when logged in as user with administrative privilages)
Credits
Omid (omid hackers ir)
Solution
Users should immediately update to 0.763. PostNuke versions 0.763 and later are unaffected.
PostNuke 0.763 Full Release Download
Download this release for new full installations.
Download (ZIP)
MD5: 13221d427059388d509176c2de77b2b1
SHA-1: d850f06e8632814faa6b1268cc2a787a50aa7cf3
Download (TAR.GZ)
MD5: 861fb337832cc86c2ac60ba0ed9de353
SHA-1: f4ba3e9e100229cd096ed1cd695f086dae46eccc
PostNuke 0.763 Patch Files Download
Only download the patched files release if you are running a pre-existing 0.762 installation.
This patch will not work with new installations or successfully patch versions earlier than 0.762.
Download (ZIP)
MD5: e81a251b952757ec919e00589fedf0c6
SHA-1: 65d7fb1e76ce1b38f82f78de2c10543c547d3019
Download (TGZ)
MD5: bfa3f432800de453653748adc2df412e
SHA-1: a77bb37b7cc4b4e6831bdf510ade915536645a59
Simon Birtwistle [HammerHead]
PostNuke CMS Steering CommitteeGenerated on October 14, 2006. - SQL-injection in module Download (PN0750) (News)
-
on text:
- --- 1. SQL-injection in module Download ---
Given SQL-injection not critical since exploit works only under rights of the manager (mysql)
The Problem in file "modules/Downloads/dl-viewdownload.php".
- --------
if ($show!="") {
$perpage = $show;
} else {
$show=$perpage;
}
...
$result =& $dbconn->SelectLimit($sql,$perpage,$min);
- --------
varible $perpage.
$perpage at request is not checked. If substitute in parameter $show (amount element on page), for instance, "0" or "-3" or "asdf" or anything bad, importance will not is checked
Decision:
Install the new version PostNuke 0.760 Если you do not be going to to move to version 0.760, that decision following:
in file dl-viewdownload.php, in function viewdownload(), viewsdownload() copy code:
if ($show!="") {
$perpage = $show;
} else {
$show=$perpage;
on following code
if ( (isset($show)) && is_numeric($show) && ($show >= 0) ) {
$perpage = $show;
} else {
$show = $perpage;
}
In the event of invalid parameter will is issued importance by default, taken from deskside (thanks TAndrew)
or following decision - in file dl-viewdownload.php, in function viewdownload(), viewsdownload() copy code
$result =& $dbconn->SelectLimit($sql,$perpage,$min);
change on
$result =& $dbconn->SelectLimit($sql,(int)$perpage,(int)$min);
Empty page will is issued In the event of invalid parameter
Generated on August 31, 2005. - REMINDER: Remove XMLRPC from your site! (News)
-
The following was posted on June 29th in PNSA 2005-3:
DESCRIPTION
PostNuke CMS is an open source, open development content management system (CMS). PostNuke CMS started as a fork from PHPNuke and provides many enhancements and improvements over the PHP-Nuke system.
PostNuke CMS is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers (including ADODB database abstraction and SMARTY templating) is in place.
The PostNuke CMS Development Team was notified about a security issue within the current .750 stable package and the .760 development tree.
VULNERABILTIES
- remote code injection via xml rpc library
SOLUTION
It is recommended that all admins deactivate and remove the 'xmlrpc' module within administration-modules and additionaly remove /xmlrpc.php and and the /modules/xmlrpc folder completly from the filesystem.
Andreas Krapohl [larsneo]
PostNuke CMS Development Team
Generated on August 16, 2005. - PostNuke Security Advisory PNSA 2005-3 (News)
-
VULNERABILTIES
- remote code injection via xml rpc library
SOLUTION
It is recommended that all admins deactivate and remove the 'xmlrpc' module within administration-modules and additionaly remove /xmlrpc.php and and the /modules/xmlrpc folder completly from the filesystem.
The PostNuke CMS Development Team highly recommends to *not* use the xml rpc library until the maintainers [1] provide a secure solution. Once an updated version is available a modularized version will be provided for download as an additional module.
Note: The upcoming .760 release will not contain the xml rpc library.
CREDITS
The exploit has been originally found by James from GulfTech Security Research and was reported via security contact. Additionally the maintainers of the xml rpc library were contacted.
Andreas Krapohl [larsneo]
PostNuke CMS Development Team
[1] phpxmlrpc.sourceforge.netGenerated on June 29, 2005. - PostNuke Security Advisory PNSA 2005-2 (News)
-
VULNERABILTIES
- various missing input validations within /modules/Xanthia/ [1]
- missing input validation within /modules/Messages/readpmsg.php [1]
- possible path disclosure within /user.php [2]
- possible path disclosure within /modules/News/article.php [2]
- possible remote code injection within /includes/pnMod.php [3]
- possible cross-site-scripting in /index.php
SOLUTION
It is recommended that all admins do an immediate upgrade of their sites to v0.750b by applying the latest security fix package available from the locations listed below. Since the Xanthia-module will be updated the site's theme needs to be set to ExtraLite (or any other non-Xanthia theme) prior to applying the update. After uploading the fixpackage the modules list needs to be regenerated and the Xanthia module upgraded within Administration-Modules.
Please note the main package has been updated to include this advisory so there is no need to apply this patch if you have downloaded PostNuke after the date of this announcement.
The /index.php and /includes/pnMod.php fixes are also available for the current .760rc4a Release Candidate within the changed files only package, the main package has also been updated with the fixes.
UPDATED PACKAGES
1. PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-411.html
SHA1: 60ef6f7c93cfa638fc7d089e078db0eaa59f95b4
MD5: c40ebc31cfa3ada351dbe63f4e9a6255
Size: 2407332 Bytes
2. PostNuke 0.750 (zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-410.html
SHA1: 50edfbb3c12bed0b80413d421d1a90ff28ed0c22
MD5: 26dc0202c776f7463008c54ce8cf89b9
Size: 3501230 Bytes
3. Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes
4. Security Fix (changed files only) for PostNuke 0.750 (.zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-472.html
SHA1: d504155418ab6d07491b3a6c0d18834fe20bbefd
MD5: e472c9917e2ff237b354bdc87838c504
Size: 247175 Bytes
CREDITS
The [1] exploits have been originally found by Maksymilian Arciemowicz from http://www.securityreason.com/ and were reported via security contact. The path disclosure issues [2] were found by 'Diabolic Crac' and reported to various trackers. The remote code injection [3] was reported by Mohamad Saleh Raub from http://www.scan-associates.net to the security contact.
Andreas Krapohl
PostNuke Development TeamGenerated on May 20, 2005. - Subjects PostNuke Module SQL Injection Vulnerabilities (News)
-
## Software ##
Software: Subjects Postnuke module
Version: 2.0
Plataforms: Unix/Win/PHP/MySQL/Postnuke
Web: http://home.postnuke.ru
## Vendor Description ##
Module is designed for structured store & display text content with a possibility to store
content in file on the disc. Probably, the best one for converting existing based on HTML pages
site to PostNuke.
## Vulnerabilities ##
Sql-Injection in pageid, subid, catid variables.
## Sql-Injection ##
The previous variables are vulnerables to SQL-Injection attacks.
These SQL injection vulnerabilities allow a remote user to inject arbitrary SQL commands.
/index.php?module=subjects&func=listpages&subid=[SQL]
/index.php?module=subjects&func=viewpage&pageid=[SQL]
/index.php?module=subjects&func=listcat&catid=[SQL]
## Proof of Concept ##
URL to retrieve the MD5 password hash of a user. This POC needs UNION functionality enabled in Mysql to retrieve the hash.
## History ##
Vendor contacted but no response.
## Solution ##
There is no solution at this time, we recommend to remove immediately this module
## Credits ##
Criolabs staff
http://www.criolabs.net
The Subjects module is not a core component of PostNuke, and so therefore this article does not apply to those who have not installedGenerated on September 10, 2004. - Critical sql injection bug in PhpBB 2.0.8 and in older versions (News)
-
Generated on March 29, 2004.
- My_eGallery injection vulnerability (News)
-
They are forcing the basepath which is a global in that module.
[exact process edited]
Here's the report and link to the fix http://www.securiteam.com/unixfocus/6Y00M208UK.htmlGenerated on March 23, 2004.
Page 1 / 2 (1 - 10 of 13 Total)
