Sql injection in PostNuke [Admin section]
From: "Omid" <omid@hackers.ir.>
To: <bugtraq@securityfocus.com.>
Subject: Sql injection in PostNuke [Admin section]
Date: Fri, 29 Sep 2006 09:43:36 +0330
User-Agent: Hackers.ir/1.0
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: Hackers.ir/1.0
X-Virus-Scanned: antivirus-gw at tyumen.ru
Hi,
There is a sql injection bug in PostNuke 0.762 admin section (and maybe
before versions) .
The "hits" parameter is not checked properly before be used in sql query :
File /modules/Downloads/admin.php, Line 1586 :
:: $dbconn->Execute("INSERT INTO $downtable
:: ($column[lid],
:: $column[cid],
:: $column[sid],
:: $column[title],
:: $column[url],
:: $column[description],
:: $column[date],
:: $column[name],
:: $column[email],
:: $column[hits],
:: $column[submitter],
:: $column[downloadratingsummary],
:: $column[totalvotes],
:: $column[totalcomments],
:: $column[filesize],
:: $column[version],
:: $column[homepage])
:: VALUES
:: (" . (int)pnVarPrepForStore($newid) . ",
:: " . (int)pnVarPrepForStore($cat[0]) .",
:: " . (int)pnVarPrepForStore($cat[1]) .",
:: '" . pnVarPrepForStore($title) . "',
:: '" . pnVarPrepForStore($url) . "',
:: '" . pnVarPrepForStore($description) . "',
:: " . $dbconn->DBTimestamp(time()) . ",
:: '" . pnVarPrepForStore($name) . "',
:: '" . pnVarPrepForStore($email) . "',
" . pnVarPrepForStore($hits) . ",
:: '" . pnVarPrepForStore($submitter) . "',
:: 0,
:: 0,
:: 0,
:: '" . pnVarPrepForStore($filesize) . "',
:: '" . pnVarPrepForStore($version) . "',
:: '" . pnVarPrepForStore($homepage) . "')");
The bug is in admin section, so it doesnt seem to be critical .
Also, "PostNuke 0.800 Milestone 2" has been released .
- Omid
