PostNuke Members_List Module Information Disclosure

medium Nessus Plugin ID 11482

Language:

Synopsis

A remote web application is affected by an information disclosure vulnerability.

Description

The remote host is running PostNuke. It is possible to use the CMS to determine the full path to its installation on the server or the name of the database used, by doing a request like :

/modules.php?op=modload&name=Members_List&file=index&letter=All&sortby=foobar

An attacker may use these flaws to gain a more intimate knowledge of the remote host.

Solution

Change the members list privileges to admins only, or disable the members list module completely.

Plugin Details

Severity: Medium

ID: 11482

File Name: postnuke_info_disclosure.nasl

Version: 1.16

Type: remote

Family: CGI abuses

Published: 3/26/2003

Updated: 6/4/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Vulnerability Information

CPE: cpe:/a:postnuke_software_foundation:postnuke

Required KB Items: www/postnuke

Excluded KB Items: Settings/disable_cgi_scanning