PostNuke Sections Module Information Disclosure

medium Nessus Plugin ID 11666

Language:

Synopsis

A remote web application is affected by an information disclosure vulnerability.

Description

The remote host is running PostNuke. It is possible to use the CMS to determine the full path to its installation on the server or the name of the database used, by doing a request like :

/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=

An attacker may use these flaws to gain a more intimate knowledge of the remote host.

Solution

Change the members list privileges to admins only, or disable the members list module completely.

Plugin Details

Severity: Medium

ID: 11666

File Name: postnuke_info_disclosure2.nasl

Version: 1.17

Type: remote

Family: CGI abuses

Published: 5/29/2003

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:postnuke_software_foundation:postnuke

Required KB Items: www/postnuke

Detections

Analytics