New PostNuke version closes security holes
A vulnerability has been removed from version 0.764 of PostNuke, a PHP content management system, that allowed attackers to inject their own PHP scripts and execute them with the web server's rights. The problem was caused by faulty filtering of the PNSVlang variable in the error.php module, the bug report claims. This in turn enabled directory traversal – a breaking out from the standard paths proscribed by the system. Still, the hole could only be used to embed and execute locally stored PHP scripts, which means that further steps were required for a successful attack.
Various non-security related flaws were also ironed out. This includes fixes by the developers to the installation routine, which prevented installation if the insecure register_globals=on option was set on the target system. The developers categorically recommend against that setting since it prevents variables in scripts from being set within user parameters and thereby provides potential targets for malicious manipulation. Alongside general security tips, the PostNuke-Wiki contains alternative possibilities on changing the option in various host environments.
- PostNuke .764 Released, announcement from PostNuke