File Disclosure in Pagesetter for PostNuke

SEC-CONSULT Security Advisory < 20070226-0>

=======================================================================

title: File Disclosure in Pagesetter for PostNuke

program: Pagesetter page creation module

vulnerable version: 6.2.0

6.3.0 beta 5

impact: high

homepage: www.elfisk.dk

found: 2006-11-21

by: D. Matscheko / SEC-CONSULT / www.sec-consult.com

=======================================================================

 

vendor description:

---------------

 

Pagesetter is a publishing module that allows the PostNuke users to

create web pages from structured data, with the data structure and

output templates defined by the PostNuke administrator.

 

[Source: www.elfisk.dk]

 

 

vulnerability overview:

---------------

 

The 3rd party module Pagesetter - up to its latest version (6.3.0

beta 5) - for PostNuke allows to read arbitrary files. An attacker

does not need to be logged in but has to know the filename.

 

 

proof of concept:

---------------

 

Here is a sample request that reads the file '/etc/passwd':

$ GET 
'http://example.com/index.php?module=Pagesetter&type=file&func=preview&id=../../../../../../../../../etc/passwd%00'

 

 

vulnerable versions:

---------------

 

Version 6.2.0 as well as 6.3.0 beta 5 seem to be vulnerable to the

described attack. No older versions were tested.

 

 

vendor status:

---------------

vendor notified: 2007-02-08

vendor response: 2007-02-08

patch available: 2007-02-08

coordinated disclosure: 2007-02-26

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Blindengasse 3

A-1080 Wien

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF David Matscheko / @2007