Overview
PostNuke does not adequately filter user input, allowing arbitrary MySQL query execution and user authentication without password.
Description
PostNuke is a web content management system based on PHPNuke, written in PHP. The article.php component of PostNuke versions 0.62, 0.63, and 06.4 do not adequately filter the "user" CGI variable before passing it to a MySQL query. Attackers may exploit this vulnerability to execute arbitrary MySQL queries. In addition, the vulnerable MySQL query is used to authenticate users. By knowing only a PostNuke username and ID, attackers may tamper with the MySQL query to achieve a positive authentication result for that PostNuke user. |
Impact
Attackers may execute arbitrary MySQL queries and login as other users without passwords. |
Solution
Apply a patch |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Magnus Skjegstad for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
| CVE IDs: | None |
| Severity Metric: | 4.70 |
| Date Public: | 2001-10-13 |
| Date First Published: | 2002-09-27 |
| Date Last Updated: | 2002-09-27 16:12 UTC |
| Document Revision: | 4 |