Start ::
Entry Point ::
Announcements, Guidelines & Information ::
PostNuke Security Advisory 2005-4
Moderated by: Admins
PostNuke Security Advisory 2005-4
-
- rank:
-
Steering Committee
- registered:
- December 2002
- Status:
- offline
- last visit:
- 12.05.08
- Posts:
- 13326
Local file inclusion via pn_bbcode (third party library used in PostNuke CMS 0.760)
DESCRIPTION
PostNuke CMS is an open source, open development content management system (CMS). PostNuke CMS is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers (including ADODB database abstraction and Smarty templating) is in place. The PostNuke CMS Development Team was notified about a security issue within the current .760 stable package relating to the pn_bbcode module which uses the GeSHi library.
VULNERABILTIES
- Local file inclusion via GeSHi library contained in the pn_bbcode library
SOLUTION
It is recommended that all admins remove
./modules/pn_bbcode/pnincludes/contrib/example.php
from the filesystem.
Additionally PostNuke CMS Platinum Edition 0.761 contains an updated version of GeSHi.
The hash sums for the PostNuke CMS Platinum Edition 0.761 are:
MD5
4b76e09c507db0224d34fc448e7efb91 PostNuke-0.761.tar.gz
c4090097b26caa38115540e24378e9b4 PostNuke-0.761.zip
SHA1
b69d9bfabb5c8641e4b5dd9e9ee6f5803d86c41d PostNuke-0.761.tar.gz
79869b9a7003ac9046788cebad23135f68eef648 PostNuke-0.761.zip
Download from http://downloads.postnuke.com
CREDITS
The exploit was originally found by Maksymilian Arciemowicz ( cXIb8O3 ) and was reported via security contact.
Drak [drak]
PostNuke CMS Development Team
-----
Regards,
Simon
itbegins.co.uk - PostNuke Consulting
Please read the Support Guide
Start ::
Entry Point ::
Announcements, Guidelines & Information ::
PostNuke Security Advisory 2005-4
|
