PostNuke admin.php user.php cross-site scripting

postnuke-admin-user-xss (20018) The risk level is classified as MediumMedium Risk

Description:

PostNuke is vulnerable to cross-site scripting. This vulnerability is caused by improper validation of user-supplied information in the module parameter, in the admin.php script, and in the op parameter in the user.php script. A remote attacker could create a malicious URL link containing embedded code in the module and op parameters in a URL request to the admin.php and user.php scripts which, once the link is clicked, would be executed in the victim's Web browser within the security context of the hosting site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.


Consequences:

Gain Access

Remedy:

Upgrade to the latest version of PostNuke (0.750b or later), available from the PostNuke Web site. See References.

References:

  • Dcrab 's Security Advisory on Bugtraq: Sql injection, xss and path disclosure vulnerabilities in.
  • PostNuke Web site: Open Source Content Management.
  • BID-13075: PostNuke Phoenix OP Parameter Remote Cross-Site Scripting Vulnerability
  • BID-13076: PostNuke Phoenix Module Parameter Remote Cross-Site Scripting Vulnerability
  • CVE-2005-1049: Multiple cross-site scripting vulnerabilities in PostNuke 0.760-RC3 allow remote attackers to inject arbitrary web script or HTML via the (1) module parameter to admin.php or (2) op parameter to user.php. NOTE: the vendor reports that certain issues could not be reproduced for 760 RC3, or for .750. However, the op/user.php issue exists when the pnAntiCracker setting is disabled.
  • OSVDB ID: 15370: PostNuke user.php op Variable XSS
  • SA14868: PostNuke Cross-Site Scripting and SQL Injection Vulnerabilities
  • SECTRACK ID: 1013670: PostNuke Input Validation Holes in News Module Permits SQL Injection and in `admin.php` and `user.php` Permit Cross-Site Scripting Attacks

Platforms Affected:

  • PostNuke PostNuke .760-RC3

Reported:

Apr 08, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page