{"vuid":"VU#921547","idnumber":"921547","name":"PostNuke does not adequately validate user input thereby allowing malicious user to bypass user authentication via SQL injection","keywords":["PostNuke","user input","bypass authentication","SQL injection","modify query","PHPNuke"],"overview":"PostNuke does not adequately filter user input, allowing arbitrary MySQL query execution and user authentication without password.","clean_desc":"PostNuke is a web content management system based on PHPNuke, written in PHP. The article.php component of PostNuke versions 0.62, 0.63, and 06.4 do not adequately filter the \"user\" CGI variable before passing it to a MySQL query. Attackers may exploit this vulnerability to execute arbitrary MySQL queries. In addition, the vulnerable MySQL query is used to authenticate users. By knowing only a PostNuke username and ID, attackers may tamper with the MySQL query to achieve a positive authentication result for that PostNuke user.","impact":"Attackers may execute arbitrary MySQL queries and login as other users without passwords.","resolution":"Apply a patch Upgrade to PostNuke 0.71, available at: http://www.postnuke.com/modules.php?op=modload&name=Downloads&file=index&req=getit&lid=169","workarounds":"","sysaffected":"","thanks":"Thanks to Magnus Skjegstad for reporting this vulnerability.","author":"This document was written by Shawn Van Ittersum.","public":["h","t","t","p",":","/","/","w","w","w",".","s","e","c","u","r","i","t","y","f","o","c","u","s",".","c","o","m","/","b","i","d","/","3","4","3","5"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-10-15T13:21:07Z","publicdate":"2001-10-13T00:00:00Z","datefirstpublished":"2002-09-27T16:12:19Z","dateupdated":"2002-09-27T16:12:23Z","revision":4,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"4","cam_population":"4","cam_impact":"11","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"4.7025","cam_scorecurrentwidelyknown":"5.94","cam_scorecurrentwidelyknownexploited":"10.89","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":4.7025,"vulnote":null}