[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vulnerability in PostNuke

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vulnerability in PostNuke
From: sni-labs@xxxxxxxxxxxx
Date: Wed, 22 Nov 2006 00:34:16 +0200

Error PostNuke in the variable stop which can be exploited by maliciouspeople to disclose system information. Luckily the vulnerabilityaffects to the 0.7.5.0 version and minors.


POC:
http://www.[web-with-PostNuke].com/user.php?stop=a (no numeric value)
Example:
http://www.dev-postnuke.com/user.php?stop=a
http://www.americavivetv.com/user.php?stop=a
http://www.ciberpsique.net/user.php?stop=a

http://www.bonsaiabm.com/user.php?stop=ahttp://www.elrincondejada.net/user.php?stop=ahttp://www.salsa.org.pl/user.php?stop=ahttp://www.choco.org/user.php?stop=a



by rMrGvG

http://SNI-LABS.com
since 1998

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Prev by Date: VMSA-2006-0010 - SSL sessions not authenticated by VC Clients
Next by Date: RE: [Reversemode advisory] Computer Associates HIPS Drivers - multiple local privilege escalation vulnerabilities.
Previous by thread: VMSA-2006-0010 - SSL sessions not authenticated by VC Clients
Next by thread: Advisory: Seditio <= 1.10 Remote SQL Injection Vulnerability.
Index(es):
- Date
- Thread