In association with heise online

27 February 2007, 12:33

Vulnerability in Pagesetter publishing module for PostNuke

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A vulnerability in the optional Pagesetter publishing module for the popular content management system PostNuke permits access to arbitrary files on a system in the webserver context. Pagesetter is intended to assist users in creating their own modules and content headings. By calling a simple URL in the browser, however, it is possible to read, for example, the file /etc/passwd. It is not necessary to be logged onto the system, all that is required is that the name of the file is known, which presents an attacker with few problems on standard systems.

Pagesetter 6.2.0 to 6.3.0 beta5 are affected. The bug is fixed in the latest version 6.3.0. Users should update to the new version as soon as possible, as a demo URL for reading files is included in the security advisory from SEC Consult, who discovered the vulnerability. Forthcoming attacks are therefore to be expected.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit