PostNuke "dl-viewdownload.php" Remote SQL Injection Vulnerability

AlphaOne Technology Support Forums

Welcome, Guest. Please login or register.
December 02, 2008, 06:30:10 AM

1733 Posts in 827 Topics by 4755 Members
Latest Member: typetroyk

Home

Help

Login

Register

AlphaOne Technology Support Forums | IMPORTANT ANNOUNCEMENTS | Security Announcements | PostNuke | Topic: PostNuke "dl-viewdownload.php" Remote SQL Injection Vulnerability

0 Members and 1 Guest are viewing this topic.

« previous next »

Pages: [1]

Go Down

Print

Author

Topic: PostNuke "dl-viewdownload.php" Remote SQL Injection Vulnerability (Read 885 times)

TJ

Tech Team
Hero Member

Offline

Offline

Posts: 136

PostNuke "dl-viewdownload.php" Remote SQL Injection Vulnerability

« on: August 25, 2005, 02:07:09 PM »

* Technical Description *

A vulnerability was identified in PostNuke, which may be exploited by malicious administrators to execute arbitrary SQL commands. This flaw is due to an input validation error in the "modules/Downloads/dl-viewdownload.php" script that does not properly filter a specially crafted "show" parameter, which may be exploited by administrators to execute arbitrary SQL commands.

* Affected Products *

PostNuke version 0.760-RC4b and prior

* Solution *

Upgrade to PostNuke version 0.760 :
http://news.postnuke.com/Downloads-req-viewdownload-cid-1.html

* References *

http://www.frsirt.com/english/advisories/2005/1529
http://www.securityreason.com/adv/PN15.asc


	Logged

Pages: [1]

Go Up

Print

AlphaOne Technology Support Forums | IMPORTANT ANNOUNCEMENTS | Security Announcements | PostNuke | Topic: PostNuke "dl-viewdownload.php" Remote SQL Injection Vulnerability

« previous next »

Jump to:

AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved.