http://news.postnuke.com/modules.php?op=modload&name=News&file=index&catid=&topic=>
i think this is a major bug because the attacker can insert and execute malicious code.
why can we post on Bug section?it`s stupid!
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- frw responded to »Bug in the SMTP mail transfer protocol - Port 25 - Zikula 1.2.9« 22. May
- mdee responded to »Short URL questions« 22. May
- mesteele101 responded to »Problem in Database Connection« 21. May
- Herr.Vorragend responded to »Clip Documentation and Doubt« 19. May
- mazdev responded to »zikula 1.3.3. and IE9« 19. May
- mesteele101 responded to »How to install Zikula for MSSQL ??? - Part II« 19. May
- mesteele101 created topic »File packaging« 16. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
bug found
-
**unknown user**
- Rank: Registered User
- Registered: Mar 16, 2002
- Last visit: Sep 28, 2002
- Posts: 1
Posted: Sep 28, 2002 - 06:53 AM
-
- Rank: Software Foundation
- Registered: Dec 31, 1969
- Last visit: Oct 21, 2009
- Posts: 3814
Posted: Sep 28, 2002 - 07:12 AM
http://support.postnuke.com/bugtracker/bug.php?op=show&bugid=82&pos=5
but i really don't know why nobody cares about entries in bugtracker... -
**unknown user**
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 759
Posted: Sep 28, 2002 - 07:18 AM
What makes you think we don't care about entries made in the bug-tracker? I assure you we do. -
- Rank: Software Foundation
- Registered: Dec 31, 1969
- Last visit: Oct 21, 2009
- Posts: 3814
Posted: Sep 28, 2002 - 07:44 AM
Quote
What makes you think we don't care about entries made in the bug-tracker? I assure you we do.
it took eight days for the first response to a 'high priority' bug and there was no response to a possible bugfix since 09-15-2002 - until now the bug is on deferred status... -
**unknown user**
- Rank: Softmore
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 349
Posted: Sep 29, 2002 - 12:18 AM
The example of cross site scripting you gave, I noted was discussed by Brian Anon in the postnuke.user mailing list recently. It seems that although a session ID can be discovered by the malicious user, in a round about way, and the session theoretically 'hijacked', Postnuke actually performs additional checks to ensure the session is legitimate.
As Brian Anon pointed out, exploiting this vulnerability by it self does not directly result in obtaining unauthorized access to a postnuke site. Other conditions must be met to obtain unauthorized access.
Perhaps that is the reason the 'bug' is on deferred status as you mention. -
- Rank: Software Foundation
- Registered: Dec 31, 1969
- Last visit: Oct 21, 2009
- Posts: 3814
Posted: Sep 29, 2002 - 01:04 AM
Quote
As Brian Anon pointed out, exploiting this vulnerability by it self does not directly result in obtaining unauthorized access to a postnuke site. Other conditions must be met to obtain unauthorized access.
i think we agree that under certain circumstances one can hijack a postnuke session and e.g. change user-informations - if this is done with an admin-account serious problems may occur...
BTW: there are some other places in current postnuke's core (e.g. when you enable bbcode/html in privates messages) where you can inject javascript - i tried to apply some bugfixes in hostnuke's .720 cvs-sources some time ago and i hope that neo will port them to current cvs (or setup some dev-accounts again
)
regards from germany
larsneo -
**unknown user**
- Rank: Softmore
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 349
Posted: Sep 29, 2002 - 01:33 AM
Quote
I think we agree that under certain circumstances one can hijack a postnuke session and e.g. change user-informations - if this is done with an admin-account serious problems may occur...
Yes, absolutely agree. However, I think PN generally is relatively secure, and many of any possible security holes are more likely to be introduced by the site admin allowing certain options (your point about bbcode/html, and certain tags).
It is good to know that there are some people about like yourself who have not overlooked this important issue, and are contributing bug fixes where required. That means some peace of mind for me. :) Thanks.
- Moderated by:
- Support
Users on-line
- 0 users
This list is based on users active over the last 60 minutes.
