Contributed by CVE references:
- various missing input validations within /modules/Xanthia/ [1]
- missing input validation within /modules/Messages/readpmsg.php [1]
- possible path disclosure within /user.php [2]
- possible path disclosure within /modules/News/article.php [2]
- possible remote code injection within /includes/pnMod.php [3]
- possible cross-site-scripting in /index.php
SOLUTION
It is recommended that all admins do an immediate upgrade of their sites to v0.750b by applying the latest security fix package available from the locations listed below. Since the Xanthia-module will be updated the site's theme needs to be set to ExtraLite (or any other non-Xanthia theme) prior to applying the update. After uploading the fixpackage the modules list needs to be regenerated and the Xanthia module upgraded within Administration-Modules.
Please note the main package has been updated to include this advisory so there is no need to apply this patch if you have downloaded PostNuke after the date of this announcement.
The /index.php and /includes/pnMod.php fixes are also available for the current .760rc4a Release Candidate within the changed files only package, the main package has also been updated with the fixes.
UPDATED PACKAGES
1. PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-411.html
SHA1: 60ef6f7c93cfa638fc7d089e078db0eaa59f95b4
MD5: c40ebc31cfa3ada351dbe63f4e9a6255
Size: 2407332 Bytes
2. PostNuke 0.750 (zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-410.html
SHA1: 50edfbb3c12bed0b80413d421d1a90ff28ed0c22
MD5: 26dc0202c776f7463008c54ce8cf89b9
Size: 3501230 Bytes
3. Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes
4. Security Fix (changed files only) for PostNuke 0.750 (.zip format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-472.html
SHA1: d504155418ab6d07491b3a6c0d18834fe20bbefd
MD5: e472c9917e2ff237b354bdc87838c504
Size: 247175 Bytes
CREDITS
The [1] exploits have been originally found by Maksymilian Arciemowicz from http://www.securityreason.com/ and were reported via security contact. The path disclosure issues [2] were found by 'Diabolic Crac' and reported to various trackers. The remote code injection [3] was reported by Mohamad Saleh Raub from http://www.scan-associates.net to the security contact.
Andreas Krapohl <larsneo>
PostNuke Development Team