Zikula Community

• **unknown user**
  
  

  • Rank: Registered User
  • Registered: Mar 16, 2002
  • Last visit: Jun 26, 2009
  • Posts: 21

  Posted: Mar 21, 2003 - 09:51 AM

  This is not the best place to post this but it is was the closest I could find quickly.
  
  It was reported that PostNuke has a path disclosure problem at the following site.
  
  http://www.securitybugware.org/Other/6083.html
  
  Here is a simple fix to the issue. Long term the error reporting should probably be done to a file or set as an option so that more details information could be presented when needed in debugging and none when in a production state.
  
  Hope this helpful.
  
  File: legacy.php
  
  /**
  * Error message due a ADODB SQL error and die
  */
  function PN_DBMsgError($DB='',$prg='',$line=0,$message='Error accesing to the database')
  {
  
  // 2 lines added to strip the server root path
  $padprg = $prg ;
  $prg = str_replace($_SERVER["SITE_HTMLROOT"], "...", $padprg);
  //
  
  $lcmessage = $message . "
  " .
  "Program: " . $prg . " - " . "Line No.: " . $line . "
  " ;
  
  // remove report DB name not necessary in most cases
  // "Database: " . $DB->database . "
  ";
  
  if($DB->ErrorNo()<>0) {
  $lcmessage .= "Error (" . $DB->ErrorNo() . ") : " . $DB->ErrorMsg() . "
  ";
  }
  die($lcmessage);
  }

  • 
  •  
• **unknown user**
  
  

  • Rank: Registered User
  • Registered: Mar 16, 2002
  • Last visit: Jan 29, 2004
  • Posts: 6

  Posted: Mar 28, 2003 - 11:33 PM

  I find it disturbing that there has been no official Postnuke developer release of a fix for that after all this time.
  
  
  
  
  Steve
  http://www.dnspad.com/

  • 
  •  
• dp2
  
  

  • Rank: Freshman
  • Registered: Dec 31, 1969
  • Last visit: Oct 21, 2009
  • Posts: 93

  Posted: Mar 30, 2003 - 12:18 PM

  Tried the mod I'm using 0.7.1 postnuke with encompass theme.
  
  This gave a header error
  
  so I assume this applies to the latest versions

  • 
  •  
• **unknown user**
  

  • Registered: Mar 16, 2002
  • Last visit: May 21, 2004
  • Posts: 74

  Posted: Apr 07, 2003 - 07:54 AM

  A security fix has been submitted to pnCorps for QA.
  It will be released to the public soon.

  • 
  •  
• stretchr
  
  

  • Rank: Registered User
  • Registered: Dec 31, 1969
  • Last visit: Oct 21, 2009
  • Posts: 49

  Posted: May 22, 2003 - 04:43 PM

  djk

  This is not the best place to post this but it is was the closest I could find quickly.
  
  It was reported that PostNuke has a path disclosure problem at the following site.
  
  http://www.securitybugware.org/Other/6083.html
  
  Here is a simple fix to the issue. Long term the error reporting should probably be done to a file or set as an option so that more details information could be presented when needed in debugging and none when in a production state.
  
  Hope this helpful.
  
  File: legacy.php
  [PHP:1:906ce68f19]
  /**
  * Error message due a ADODB SQL error and die
  */
  function PN_DBMsgError($DB='',$prg='',$line=0,$message='Error accesing to the database')
  {
  
  // 2 lines added to strip the server root path
  $padprg = $prg ;
  $prg = str_replace($_SERVER["SITE_HTMLROOT"], "...", $padprg);
  //
  
  $lcmessage = $message . "
  " .
  "Program: " . $prg . " - " . "Line No.: " . $line . "
  " ;
  
  // remove report DB name not necessary in most cases
  // "Database: " . $DB->database . "
  ";
  
  if($DB->ErrorNo()<>0) {
  $lcmessage .= "Error (" . $DB->ErrorNo() . ") : " . $DB->ErrorMsg() . "
  ";
  }
  die($lcmessage);
  }[/php:1:906ce68f19]
  

  
  
  I'm disappointed that this wasn't in the latest security release with the other legacy.php patch. At any rate, thanks for you post. It works like a charm.
  
  --
  "It's a small world...
  But I wouldn't want to paint it!"
  Stephen Wright
  

  • 
  •  
• markwest
  
  

  • Rank: Team Member
  • Registered: Mar 18, 2002
  • Last visit: Oct 21, 2009
  • Posts: 6606

  Posted: May 22, 2003 - 08:42 PM

  stretchr

  
  I'm disappointed that this wasn't in the latest security release with the other legacy.php patch. At any rate, thanks for you post. It works like a charm.

  
  
  It was. There is no 'other' fix in legacy.php.
  
  The fix implemented was different to the originally submitted solution. In our implementation you see the full set of information if your logged in as a site admin and a restricted set of information if your are a normal user.
  
  This is implemented via the code
  
  

  Code

  if(pnSecAuthAction(0, "::", '::', ACCESS_ADMIN)) {
  
  ......
  
     } else {
  
  .......
  
  }

  
  
  -Mark

  • 
  •  
• stretchr
  
  

  • Rank: Registered User
  • Registered: Dec 31, 1969
  • Last visit: Oct 21, 2009
  • Posts: 49

  Posted: May 23, 2003 - 04:13 AM

  markwest

  
  It was. There is no 'other' fix in legacy.php.
  
  The fix implemented was different to the originally submitted solution. In our implementation you see the full set of information if your logged in as a site admin and a restricted set of information if your are a normal user.
  
  This is implemented via the code
  
  

  Code

  if(pnSecAuthAction(0, "::", '::', ACCESS_ADMIN)) {
  
  ......
  
     } else {
  
  .......
  
  }

  
  
  -Mark

  
  
  
  Duh. You're right, my mistake. I wonder though...
  I just tried the security fix posted at PN but I only see that it removed the database name and not the path statement. If this is how the patch is supposed to function, then it's a bit different than the one posted in this thread. That mod also gets rid of the path statement.
  
  If this is not correct please let me know.
  :?:
  
  At any rate, thank you for the reply. When I first tested this I didn't even realize I was logged in as admin so your post made me go back and test again. Thanks.
  
  --
  "It's a small world...
  But I wouldn't want to paint it!"
  Stephen Wright
  

  • 
  •  
•  
•  

Users on-line

• 0 users

This list is based on users active over the last 60 minutes.