PostNuke Sections Module Information Disclosure

medium Nessus Plugin ID 11666

Language:

Synopsis

A remote web application is affected by an information disclosure vulnerability.

Description

The remote host is running PostNuke. It is possible to use the CMS to determine the full path to its installation on the server or the name of the database used, by doing a request like :

/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=

An attacker may use these flaws to gain a more intimate knowledge of the remote host.

Solution

Change the members list privileges to admins only, or disable the members list module completely.

Plugin Details

Severity: Medium

ID: 11666

File Name: postnuke_info_disclosure2.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 5/29/2003

Updated: 6/4/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Vulnerability Information

CPE: cpe:/a:postnuke_software_foundation:postnuke

Required KB Items: www/postnuke

Excluded KB Items: Settings/disable_cgi_scanning