-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------ DOTNETNUKE MULTIPLE VULNERABILITIES - ------------------------------------------------------ Online URL : http://ferruh.mavituna.com/?429
1) Source Code & File Access; Severity : Highly Critical 2) SQL Injection; Severity : Moderately Critical 3) XSS (Cross Site Scripting); Severity : Low Critical - ------------------------------------------------------ ABOUT DOTNETNUKE; - ------------------------------------------------------ ASP.NET, Open Source Web Portal Application. URL & Demo & Source Code Download ; http://www.dotnetnuke.com/ Developer Description; DotNetNuke ( formerly known as the IBuySpy Workshop ) is an automated content management system specifically designed to be used in Intranet and Internet deployments. The Administrator has total control of their web portal, membership, and has a powerful set of tools to maintain a dynamic and 100% interactive data-driven web site. - ------------------------------------------------------ VULNERABLE; - ------------------------------------------------------ Any version of DotNetNuke from version 1.0.6 to 1.0.10d - ------------------------------------------------------ NOT VULNERABLE; - ------------------------------------------------------ DotNetNuke 1.0.10e - ------------------------------------------------------ 1) SOURCE CODE & FILE ACCESS; - ------------------------------------------------------ This one is the biggest problem. Anyone can download files and source codes with a simple GET request. Attacker can download "Web.config" and access SQL Server login name and password. Possible side effect of this if SQL Server running as "sa" user (and most of developer still use "sa") attacker can simply gain full system access from remote. ! Proof of Concept Codes removed because of the possible serious damages. [Vendor informed with required proof of concepts] - ------------------------------------------------------ 2) SQL INJECTION; - ------------------------------------------------------ Lots of SQL related actions are vulnerable here, but most of them running as stored procedure and exploiting is not so easy. Also there is no extra check for integer fields. ------------------------------------------------------ Description; ------------------------------------------------------ In "LinkClick.aspx" page "table" and "field" have no control for SQL Injections. Also some of other SQL related functions have the same problem. ------------------------------------------------------ Code; ------------------------------------------------------ ------------------- LinkClick.aspx ------------------- ' update clicks Dim objAdmin As New AdminDB() objAdmin.UpdateClicks(Request.Params("table").ToString, Request.Params("field").ToString, Integer.Parse(Request.Params("id")), UserId) ------------------- Related Procedure ------------------- "create procedure UpdateClicks select @SQL = 'update ' + @TableName + ' set Clicks = Clicks + 1 where ' + @KeyField + ' = ' + convert(varchar,@ItemId)" ------------------------------------------------------ Solution; ------------------------------------------------------ (') single quotes in SQL queries have to be replaced. - ------------------------------------------------------ 3) XSS (Cross Site Scripting); - ------------------------------------------------------ An attacker can steal active session and by "Remember Login" feature attacker can login as another user at anytime. ------------------------------------------------------ Details; ------------------------------------------------------ PAGE : http://dotnetnuke.com/EditModule.aspx?tabid=510&def=Register Input values need to encode. - ------------------------------------------------------ HOW TO PATCH [provided by vendor]; - ------------------------------------------------------ Online URL : http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=456107 Also required information attached. - ------------------------------------------------------ FINAL WORDS; - ------------------------------------------------------ Also other pages looks like have some similiar security problems. And I want thank you all dotnetnuke team, they fixed problems quickly. - ----------------------------------------------------- HISTORY; - ------------------------------------------------------ Discovered : 12.12.2003 Vendor Informed : 30.01.2004 Published : 28.01.2004 - ------------------------------------------------------ Vendor Status; - ------------------------------------------------------ Quickly answered and fixed. Ferruh Mavituna Web Application Security Specialist http://ferruh.mavituna.com [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQBd2PTL0QoVzo2STEQIeGACfaMbmCrcX36MJ20aYijvVR5LZ2RAAniev RpSDbnRrtpZ8ocT5AHs4OsA4 =h8Yp -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html