News

Remote Code Injection via xml rpc (third party library used in PostNuke CMS < .760)

DESCRIPTION
PostNuke CMS is an open source, open development content management system (CMS). PostNuke CMS started as a fork from PHPNuke and provides many enhancements and improvements over the PHP-Nuke system.
PostNuke CMS is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers (including ADODB database abstraction and Smarty templating) is in place.
The PostNuke CMS Development Team was notified about a security issue within the current .750 stable package and the .760 development tree.


VULNERABILTIES
- remote code injection via xml rpc library

SOLUTION
It is recommended that all admins deactivate and remove the 'xmlrpc' module within administration-modules and additionaly remove /xmlrpc.php and and the /modules/xmlrpc folder completly from the filesystem.
The PostNuke CMS Development Team highly recommends to *not* use the xml rpc library until the maintainers [1] provide a secure solution. Once an updated version is available a modularized version will be provided for download as an additional module.
Note: The upcoming .760 release will not contain the xml rpc library.

CREDITS
The exploit has been originally found by James from GulfTech Security Research and was reported via security contact. Additionally the maintainers of the xml rpc library were contacted.

Andreas Krapohl [larsneo]
PostNuke CMS Development Team

[1] phpxmlrpc.sourceforge.net

CVE reference: CAN-2005-1921