PostNuke Community

Support at your fingertips

PostNuke 'pnVarPrepForStore()' SQL Injection Vulnerability  Top

  • goexplore
    goexplore's Avatar
    Freshman
    • Rank: Freshman
    • Registered: 28.01.06
    • last visit: 30.03.08
    • Posts: 4
    Posted: 30.03.2008, 19:07

    Is there a patch for this? Where would I find it? (searched the forums and the bugtracker database and google)

    TIA

    ----------------------------------------------------------

    PostNuke 'pnVarPrepForStore()' SQL Injection Vulnerability
    BugTraq ID: 28407
    Remote: Yes
    Last Updated: 2008-03-25
    Relevant URL: http://www.securityfocus.com/bid/28407
    Summary:
    PostNuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

    Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

    PostNuke 0.764 is vulnerable; other versions may also be affected.
  • larsneo
    larsneo's Avatar
    Software Foundation
    • Rank: Software Foundation
    • Registered: 31.12.69
    • last visit: 27.06.09
    • Posts: 4458
    Posted: 30.03.2008, 22:25
    there's indeed a problem with server vars from pnGetServerVar under certain circumstances (if magic_quotes [1] are enabled server-variables are not automatically escaped for database use within pnVarPrepForStore like typical GET/POST/COOKIE vars). this can be used for a so called 'blind injection' (e.g. insert select-values into the varchar(20) ipaddr-field within the session table) when using a faked HTTP_CLIENT_IP header.


    we are currently working on a patch (some backport from the .8 series) but since the problem might also affect third party libaries it might take some time for a generic solution.


    as a hotfix simply disable magic_quotes completly - this way the vars are correctly escaped (recommended in .8 anyway so just ignore the warning in the administration).


    to turn off magic quotes put the following line into the .htaccess file:

    Code

    php_flag magic_quotes_gpc off

    if your server has PHP suexec enabled you won't be able use php_flag in .htaccess file to change PHP values - in this case you can try creating a php.ini file and add something like:

    Code

    magic_quotes_runtime=off
    magic_quotes_gpc=off
    magic_quotes_sybase=off


    [1] magic_quotes are DEPRECATED and REMOVED as of PHP 6.0.0, see us.php.net/magic_quotes for more information


    phpsecinfo might also help to secure the PHP settings

    --
    regards from germany
    ..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
  • goexplore
    goexplore's Avatar
    Freshman
    • Rank: Freshman
    • Registered: 28.01.06
    • last visit: 30.03.08
    • Posts: 4
    Posted: 30.03.2008, 22:39

    That was my assessment too but I'm not a PHP or PN expert. Thanks for the expert advice. Done.
  • jadranko
    jadranko's Avatar
    Helper
    • Rank: Helper
    • Registered: 05.11.03
    • last visit: 31.01.09
    • Posts: 126
    Posted: 27.04.2008, 01:14
    Good to know, but some of us can't afford to turn off magic quotes because important modules such as reviews and menalto gallery depend on it, and will crash if disabled.

    I hope we see some fixes soon, time for PN0765 I think.

    --
    "A patriot must be ready to defend his country against his government." - Edward Abbey

Users online

This list is based on the users active over the last 60 minutes.