Vulnerabilities > CVE-2005-0615 - SQL-Injection vulnerability in Postnuke Software Foundation Postnuke 0.760Rc2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
postnuke-software-foundation
nessus

Summary

Multiple SQL injection vulnerabilities in (1) index.php, (2) modules.php, or (3) admin.php in PostNuke 0.760-RC2 allow remote attackers to execute arbitrary SQL code via the catid parameter.

Vulnerable Configurations

Part Description Count
Application
Postnuke_Software_Foundation
1

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_F3EEC2B58CD811D98066000A95BC6FAE.NASL
    descriptionTwo separate SQL injection vulnerabilities have been identified in the PostNuke PHP content management system. An attacker can use this vulnerability to potentially insert executable PHP code into the content management system (to view all files within the PHP scope, for instance). Various other SQL injection vulnerabilities exist, which give attackers the ability to run SQL queries on any tables within the database.
    last seen2020-06-01
    modified2020-06-02
    plugin id19170
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19170
    titleFreeBSD : postnuke -- SQL injection vulnerabilities (f3eec2b5-8cd8-11d9-8066-000a95bc6fae)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19170);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:38");
    
      script_cve_id("CVE-2005-0615", "CVE-2005-0617");
    
      script_name(english:"FreeBSD : postnuke -- SQL injection vulnerabilities (f3eec2b5-8cd8-11d9-8066-000a95bc6fae)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two separate SQL injection vulnerabilities have been identified in the
    PostNuke PHP content management system. An attacker can use this
    vulnerability to potentially insert executable PHP code into the
    content management system (to view all files within the PHP scope, for
    instance). Various other SQL injection vulnerabilities exist, which
    give attackers the ability to run SQL queries on any tables within the
    database."
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=110962710805864
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=110962710805864"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=110962819232255
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=110962819232255"
      );
      # http://news.postnuke.com/Article2669.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.postnuke.com/Article2669.html"
      );
      # https://vuxml.freebsd.org/freebsd/f3eec2b5-8cd8-11d9-8066-000a95bc6fae.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0b1ca7cc"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:postnuke");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"postnuke<0.760")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses
    NASL idPOSTNUKE_0_760_RC2.NASL
    descriptionThe remote host is running PostNuke version 0.760 RC2 or older. These versions suffer from several vulnerabilities, among them : - SQL injection vulnerability in the News, NS-Polls and NS-AddStory modules. - SQL injection vulnerability in the Downloads module. - Cross-site scripting vulnerabilities in the Downloads module. - Possible path disclosure vulnerability in the News module. An attacker may use the SQL injection vulnerabilities to obtain the password hash for the administrator or to corrupt the database database used by PostNuke. Exploiting the XSS flaws may enable an attacker to inject arbitrary script code into the browser of site administrators leading to disclosure of session cookies.
    last seen2020-06-01
    modified2020-06-02
    plugin id17240
    published2005-03-01
    reporterThis script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17240
    titlePostNuke <= 0.760 RC2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if (description) {
      script_id(17240);
      script_version("1.20");
    
      script_cve_id("CVE-2005-0615", "CVE-2005-0616", "CVE-2005-0617");
      script_bugtraq_id(12683, 12684, 12685);
    
      script_name(english:"PostNuke <= 0.760 RC2 Multiple Vulnerabilities");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP application that suffers from
    multiple vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "The remote host is running PostNuke version 0.760 RC2 or older.  These
    versions suffer from several vulnerabilities, among them :
    
      - SQL injection vulnerability in the News, NS-Polls and 
        NS-AddStory modules.
      - SQL injection vulnerability in the Downloads module.
      - Cross-site scripting vulnerabilities in the Downloads
        module.
      - Possible path disclosure vulnerability in the News module.
    
    An attacker may use the SQL injection vulnerabilities to obtain the
    password hash for the administrator or to corrupt the database
    database used by PostNuke. 
    
    Exploiting the XSS flaws may enable an attacker to inject arbitrary
    script code into the browser of site administrators leading to
    disclosure of session cookies." );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Mar/8" );
     script_set_attribute(attribute:"see_also", value:"http://news.postnuke.com/Article2669.html" );
     script_set_attribute(attribute:"solution", value:
    "Either upgrade and apply patches for 0.750 or upgrade to 0.760 RC3 or
    later." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/01");
     script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/28");
     script_cvs_date("Date: 2018/11/15 20:50:18");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:postnuke_software_foundation:postnuke");
     script_end_attributes();
    
    
      script_summary(english:"Detects multiple vulnerabilities in PostNuke 0.760 RC2 and older");
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("postnuke_detect.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP");
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:80);
    if (!can_host_php(port:port))exit(0);
    
    kb = get_kb_item("www/" + port + "/postnuke" );
    if (! kb) exit(0);
    install = eregmatch(pattern:"(.*) under (.*)", string:kb );
    ver = install[1];
    dir = install[2];
    
    # Try the SQL injection exploits.
    exploits = make_list(
      "catid='cXIb8O3",
      "name=Downloads&req=search&query=&show=cXIb8O3",
      "name=Downloads&req=search&query=&orderby="
    );
    
    foreach exploit (exploits) {
      if (test_cgi_xss(port: port, cgi: "/index.php", qs: exploit, dirs: make_list(dir),
     sql_injection: 1, high_risk: 1,
     pass_re: "DB Error: getArticles:|Fatal error: .+/modules/Downloads/dl-search.php"))
      exit(0);
    }