[<prev] [next>] [day] [month] [year] [list]
Message-ID: <RMOBILEE78AWQTaMVc900000001@rmobile>
Date: Fri, 6 Feb 2004 14:20:29 +0200
From: "Ferruh Mavituna" <ferruh@...ituna.com>
To: <bugtraq@...urityfocus.com>
Subject: Dotnetnuke Multiple Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------
DOTNETNUKE MULTIPLE VULNBERABILITIES
- - ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/?429
1) Source Code & File Access;
Severity : Highly Critical
2) XSS (Cross Site Scripting);
Severity : Low Critical
- - ------------------------------------------------------
ABOUT DOTNETNUKE;
- - ------------------------------------------------------
ASP.NET, Open Source Web Portal Application.
URL & Demo & Source Code Download ;
http://www.dotnetnuke.com/
Developer Description;
DotNetNuke ( formerly known as the IBuySpy Workshop ) is an automated
content management system specifically designed to be used in
Intranet and Internet deployments. The Administrator has total
control of their web portal, membership, and has a powerful set of
tools to maintain a dynamic and 100% interactive data-driven web
site.
- - ------------------------------------------------------
VULNERABLE;
- - ------------------------------------------------------
Any version of DotNetNuke from version 1.0.6 to 1.0.10d
- - ------------------------------------------------------
NOT VULNERABLE;
- - ------------------------------------------------------
DotNetNuke 1.0.10e
- - ------------------------------------------------------
1) SOURCE CODE & FILE ACCESS;
- - ------------------------------------------------------
This one is the biggest problem. Anyone can download files and source
codes with a simple GET request.
! Proof of Concept Codes removed because of the possible serious
damages. [Vendor informed with required proof of concepts]
- - ------------------------------------------------------
2) XSS (Cross Site Scripting);
- - ------------------------------------------------------
An attacker can steal active session and by "Remember Login" feature
attacker can login as another user at anytime.
------------------------------------------------------
Details;
------------------------------------------------------
PAGE : http://[VICTIM]/EditModule.aspx?tabid=510&def=Register
Input values need to encode.
- - ------------------------------------------------------
HOW TO PATCH [provided by vendor];
- - ------------------------------------------------------
Online URL :
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=456107
Also required information attached.
- - ------------------------------------------------------
FINAL WORDS;
- - ------------------------------------------------------
Also other pages looks like have some similar security problems.
And I want thank you all dotnetnuke team, they fixed problems
quickly.
- - -----------------------------------------------------
HISTORY;
- - ------------------------------------------------------
Discovered: 12.12.2003
Vendor Informed: 30.01.2004
Published: 28.01.2004
- - ------------------------------------------------------
Vendor Status;
- - ------------------------------------------------------
Quickly answered and fixed.
Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh@...ituna.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQCOGgTL0QoVzo2STEQKpbQCgghJMYBcyxFjL3BuYM9AYCSAZzAwAn1hF
TXQQbATmKndanAXaOx8jfedA
=Khhg
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists