Secunia

Maksymilian Arciemowicz has reported some vulnerabilities in PostNuke, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and to bypass certain security restrictions.

1) It is possible to bypass the HTML tag filter implemented in "pnVarCleanFromInput()" and "pnAntiCracker()" via specially-crafted HTML tags.

Example:
<HTMLTAG? <

2) Input passed to the "htmltext" parameter in user.php and to the "language" parameter in the NS-Languages module isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:
http://[host]/user.php?op=edituser&htmltext=[code]
http://[host]/admin.php?module=NS-Languages&op=missing&language=">[code]
http://[host]/admin.php?module=NS-Languages&op=translation&language=[code]

3) An access control error in admin.php can be exploited to access certain modules like NS-Languages and Banners without requiring admin privilege.

Example:
http://[host]/admin.php?module=NS-Languages
http://[host]/admin.php?module=Banners

4) Input passed to the "language" parameter in the NS-Languages module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Example:
http://[host]/admin.php?module=NS-Languages&op=missing&language=[sql]

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerabilities have been reported in version 0.761 and prior.

Solution
Update to version 0.762.
Further details available in Customer Area

Provided and/or discovered by
Maksymilian Arciemowicz

Changelog
Further details available in Customer Area

Original Advisory
PostNuke:
http://news.postnuke.com/index.php?name=News&file=article&sid=2754

SecurityReason:
http://securityreason.com/achievement_securityalert/33

Deep Links
Links available in Customer Area