PostNuke sid parameter SQL injection

postnuke-sid-sql-injection (20019) The risk level is classified as MediumMedium Risk

Description:

PostNuke is vulnerable to SQL injection, caused by improper validation of user-supplied information in the sid parameter. A remote attacker could send a specially-crafted URL request containing SQL commands to the sid parameter, which would allow the attacker to obtain sensitive information and add, modify, or delete information in the backend database.

Platforms Affected:

  • PostNuke, PostNuke .760-RC3

Remedy:

Upgrade to the latest version of PostNuke (0.750b or later), available from the PostNuke Web site. See References.

Consequences:

Data Manipulation

References:

  • Dcrab 's Security Advisory on Bugtraq, Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3 at http://seclists.org/lists/bugtraq/2005/Apr/0165.html.
  • PostNuke Web site, Open Source Content Management at http://www.postnuke.com/.
  • BID-13076: PostNuke Phoenix Module Parameter Remote Cross-Site Scripting Vulnerability
  • BID-13077: PostNuke Phoenix SID Parameter Remote SQL Injection Vulnerability
  • CVE-2005-1048: SQL injection vulnerability in modules.php in PostNuke 0.760 RC3 allows remote attackers to execute arbitrary SQL statements via the sid parameter. NOTE: the vendor reports that they could not reproduce the issues for 760 RC3, or for .750.
  • OSVDB ID: 15371: PostNuke News Module sid Parameter SQL Injection
  • SA14868: PostNuke Cross-Site Scripting and SQL Injection Vulnerabilities
  • SECTRACK ID: 1013670: PostNuke Input Validation Holes in News Module Permits SQL Injection and in `admin.php` and `user.php` Permit Cross-Site Scripting Attacks

Reported:

Apr 08, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page