Sql injection in PostNuke [Admin section] Sep 29 2006 06:13AM
Omid (omid hackers ir)
Hi,
There is a sql injection bug in PostNuke 0.762 admin section (and maybe
before versions) .
The "hits" parameter is not checked properly before be used in sql query :

File /modules/Downloads/admin.php, Line 1586 :
:: $dbconn->Execute("INSERT INTO $downtable
:: ($column[lid],
:: $column[cid],
:: $column[sid],
:: $column[title],
:: $column[url],
:: $column[description],
:: $column[date],
:: $column[name],
:: $column[email],
:: $column[hits],
:: $column[submitter],
:: $column[downloadratingsummary],
:: $column[totalvotes],
:: $column[totalcomments],
:: $column[filesize],
:: $column[version],
:: $column[homepage])
:: VALUES
:: (" . (int)pnVarPrepForStore($newid) . ",
:: " . (int)pnVarPrepForStore($cat[0]) .",
:: " . (int)pnVarPrepForStore($cat[1]) .",
:: '" . pnVarPrepForStore($title) . "',
:: '" . pnVarPrepForStore($url) . "',
:: '" . pnVarPrepForStore($description) . "',
:: " . $dbconn->DBTimestamp(time()) . ",
:: '" . pnVarPrepForStore($name) . "',
:: '" . pnVarPrepForStore($email) . "',
** " . pnVarPrepForStore($hits) . ",
:: '" . pnVarPrepForStore($submitter) . "',
:: 0,
:: 0,
:: 0,
:: '" . pnVarPrepForStore($filesize) . "',
:: '" . pnVarPrepForStore($version) . "',
:: '" . pnVarPrepForStore($homepage) . "')");

The bug is in admin section, so it doesnt seem to be critical .
Also, "PostNuke 0.800 Milestone 2" has been released .

- Omid

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus