lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200401280854.i0S8sdU15337@netsys.com>
From: ferruh at mavituna.com (Ferruh Mavituna)
Subject: Dotnetnuke Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------
DOTNETNUKE MULTIPLE VULNERABILITIES
- ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/?429 

1) Source Code & File Access;
Severity : Highly Critical

2) SQL Injection;
Severity : Moderately Critical

3) XSS (Cross Site Scripting);
Severity : Low Critical


- ------------------------------------------------------
ABOUT DOTNETNUKE;
- ------------------------------------------------------
ASP.NET, Open Source Web Portal Application.

URL & Demo & Source Code Download ;
http://www.dotnetnuke.com/


Developer Description;
DotNetNuke ( formerly known as the IBuySpy Workshop ) is an automated
content management system specifically designed to be used in Intranet and
Internet deployments. The Administrator has total control of their web
portal, membership, and has a powerful set of tools to maintain a dynamic
and 100% interactive data-driven web site. 


- ------------------------------------------------------
VULNERABLE;
- ------------------------------------------------------
Any version of DotNetNuke from version 1.0.6 to 1.0.10d 


- ------------------------------------------------------
NOT VULNERABLE;
- ------------------------------------------------------
DotNetNuke 1.0.10e

- ------------------------------------------------------
1) SOURCE CODE & FILE ACCESS;
- ------------------------------------------------------
This one is the biggest problem. Anyone can download files and source codes
with a simple GET request.

Attacker can download "Web.config" and access SQL Server login name and
password. Possible side effect of this if SQL Server running as "sa" user
(and most of developer still use "sa") attacker can simply gain full system
access from remote. 

! Proof of Concept Codes removed because of the possible serious damages.
[Vendor informed with required proof of concepts]

- ------------------------------------------------------
2) SQL INJECTION;
- ------------------------------------------------------
Lots of SQL related actions are vulnerable here, but most of them running as
stored procedure and exploiting is not so easy. Also there is no extra check
for integer fields. 

	------------------------------------------------------
	Description;
	------------------------------------------------------
	In "LinkClick.aspx" page "table" and "field" have no control for SQL
Injections.
	Also some of other SQL related functions have the same problem.


	------------------------------------------------------
	Code;
	------------------------------------------------------
	------------------- LinkClick.aspx -------------------
	' update clicks
	Dim objAdmin As New AdminDB()
	objAdmin.UpdateClicks(Request.Params("table").ToString,
Request.Params("field").ToString,
Integer.Parse(Request.Params("id")), 	UserId)

	------------------- Related Procedure -------------------
	"create procedure UpdateClicks
	select @SQL = 'update ' + @TableName + ' set Clicks = Clicks + 1
where 	' + @KeyField + ' = ' + convert(varchar,@ItemId)"

	------------------------------------------------------
	Solution;
	------------------------------------------------------
	(') single quotes in SQL queries have to be replaced.



- ------------------------------------------------------
3) XSS (Cross Site Scripting);
- ------------------------------------------------------
An attacker can steal active session and by "Remember Login" feature
attacker can login as another user at anytime.

	------------------------------------------------------
	Details;
	------------------------------------------------------
	PAGE : http://dotnetnuke.com/EditModule.aspx?tabid=510&def=Register
	Input values need to encode.




- ------------------------------------------------------
HOW TO PATCH [provided by vendor];
- ------------------------------------------------------
Online URL :
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=456107
Also required information attached.


- ------------------------------------------------------
FINAL WORDS;
- ------------------------------------------------------
Also other pages looks like have some similiar security problems.
And I want thank you all dotnetnuke team, they fixed problems quickly. 



- -----------------------------------------------------
HISTORY;
- ------------------------------------------------------
Discovered : 12.12.2003
Vendor Informed : 30.01.2004
Published : 28.01.2004

- ------------------------------------------------------
Vendor Status;
- ------------------------------------------------------
Quickly answered and fixed.


Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh@...ituna.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQBd2PTL0QoVzo2STEQIeGACfaMbmCrcX36MJ20aYijvVR5LZ2RAAniev
RpSDbnRrtpZ8ocT5AHs4OsA4
=h8Yp
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ