PostNuke 'pnVarPrepForStore()' SQL Injection Vulnerability
- Rank: Freshman
- Registered: 28.01.06
- last visit: 30.03.08
- Posts: 4
Posted: 30.03.2008, 19:07
Is there a patch for this? Where would I find it? (searched the forums and the bugtracker database and google)
TIA
----------------------------------------------------------
PostNuke 'pnVarPrepForStore()' SQL Injection Vulnerability
BugTraq ID: 28407
Remote: Yes
Last Updated: 2008-03-25
Relevant URL: http://www.securityfocus.com/bid/28407
Summary:
PostNuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PostNuke 0.764 is vulnerable; other versions may also be affected.
- Rank: Software Foundation
- Registered: 31.12.69
- last visit: 27.06.09
- Posts: 4458
Posted: 30.03.2008, 22:25
there's indeed a problem with server vars from pnGetServerVar under certain circumstances (if magic_quotes [1] are enabled server-variables are not automatically escaped for database use within pnVarPrepForStore like typical GET/POST/COOKIE vars). this can be used for a so called 'blind injection' (e.g. insert select-values into the varchar(20) ipaddr-field within the session table) when using a faked HTTP_CLIENT_IP header.
we are currently working on a patch (some backport from the .8 series) but since the problem might also affect third party libaries it might take some time for a generic solution.
as a hotfix simply disable magic_quotes completly - this way the vars are correctly escaped (recommended in .8 anyway so just ignore the warning in the administration).
to turn off magic quotes put the following line into the .htaccess file:
if your server has PHP suexec enabled you won't be able use php_flag in .htaccess file to change PHP values - in this case you can try creating a php.ini file and add something like:
[1] magic_quotes are DEPRECATED and REMOVED as of PHP 6.0.0, see us.php.net/magic_quotes for more information
phpsecinfo might also help to secure the PHP settings
--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
we are currently working on a patch (some backport from the .8 series) but since the problem might also affect third party libaries it might take some time for a generic solution.
as a hotfix simply disable magic_quotes completly - this way the vars are correctly escaped (recommended in .8 anyway so just ignore the warning in the administration).
to turn off magic quotes put the following line into the .htaccess file:
Code
php_flag magic_quotes_gpc off
if your server has PHP suexec enabled you won't be able use php_flag in .htaccess file to change PHP values - in this case you can try creating a php.ini file and add something like:
Code
[1] magic_quotes are DEPRECATED and REMOVED as of PHP 6.0.0, see us.php.net/magic_quotes for more information
phpsecinfo might also help to secure the PHP settings
--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
- Rank: Freshman
- Registered: 28.01.06
- last visit: 30.03.08
- Posts: 4
Posted: 30.03.2008, 22:39
That was my assessment too but I'm not a PHP or PN expert. Thanks for the expert advice. Done.
- Rank: Helper
- Registered: 05.11.03
- last visit: 31.01.09
- Posts: 126
Posted: 27.04.2008, 01:14
Good to know, but some of us can't afford to turn off magic quotes because important modules such as reviews and menalto gallery depend on it, and will crash if disabled.
I hope we see some fixes soon, time for PN0765 I think.
--
"A patriot must be ready to defend his country against his government." - Edward Abbey
I hope we see some fixes soon, time for PN0765 I think.
--
"A patriot must be ready to defend his country against his government." - Edward Abbey