PostNuke

Flexible Content Management System

News

PostNuke Security Fix (SQL injection and directory traversal)

Contributed by If you are running . on Mar 07, 2003 - 11:15 PM

SOLUTION


It is recommended that all admins upgrade their sites to v7.2.3 and applythe latest security fix package available right now from the locations listed below.




As a general rule of thumb we also recommend to never use the 'root' user to connect to MySQL server be it the PostNuke installation or any other application running on the web.





UPDATED PACKAGES


1. PostNuke Phoenix 0.723 (tar.gz format) http://download.hostnuke.com/pafiledb.php?action=file&id=15


Size/MD5 checksum: 1844005 606a6f45dcd232c48e2bfb37004339a6




2. PostNuke Phoenix 0.723 (zip format)


http://download.hostnuke.com/pafiledb.php?action=file&id=16


Size/MD5 checksum: 2620869 0d54b12224746bacc5258b1b9562525a




3. Security Fix for PostNuke Phoenix 0.723 (zip format) http://download.hostnuke.com/pafiledb.php?action=file&id=17


Size/MD5 checksum: 14495 a6ea89e6669c35f80a7167ecf1aafa47




4. Security Fix for PostNuke Phoenix 0.723 (tar.gz format) http://download.hostnuke.com/pafiledb.php?action=file&id=18


Size/MD5 checksum: 11785 1e5c2a2c938aba4103af1e217a37d9c7




ADDITIONAL INSTRUCTIONS


Place the files contained in this patch into the appropriate PostNuke directory that replaces the current files because by doing this you are applying the security fix to the system fix and this is what is meant by "patching" your system.






CREDITS


This exploit has been originally found by pokleyzz, pokleyzz@scan-associates.net from Scan Associates (http://scan-associates.net/)and has been reported on 2003-02-24.


20379