Synopsis
A remote web application is affected by an information disclosure vulnerability.
Description
The remote host is running PostNuke. It is possible to use the CMS to determine the full path to its installation on the server or the name of the database used, by doing a request like :
/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=
An attacker may use these flaws to gain a more intimate knowledge of the remote host.
Solution
Change the members list privileges to admins only, or disable the members list module completely.
Plugin Details
File Name: postnuke_info_disclosure2.nasl
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus
Enable CGI Scanning: true
Vulnerability Information
CPE: cpe:/a:postnuke_software_foundation:postnuke
Required KB Items: www/postnuke