PostNuke Members_List Module Information Disclosure

medium Nessus Plugin ID 11482

Language:

Synopsis

A remote web application is affected by an information disclosure vulnerability.

Description

The remote host is running PostNuke. It is possible to use the CMS to determine the full path to its installation on the server or the name of the database used, by doing a request like :

/modules.php?op=modload&name=Members_List&file=index&letter=All&sortby=foobar

An attacker may use these flaws to gain a more intimate knowledge of the remote host.

Solution

Change the members list privileges to admins only, or disable the members list module completely.

Plugin Details

Severity: Medium

ID: 11482

File Name: postnuke_info_disclosure.nasl

Version: 1.15

Type: remote

Family: CGI abuses

Published: 3/26/2003

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:postnuke_software_foundation:postnuke

Required KB Items: www/postnuke

Detections

Analytics