Full Disclosure mailing list archives

Dotnetnuke Multiple Vulnerabilities

From: "Ferruh Mavituna" <ferruh () mavituna com>
Date: Wed, 28 Jan 2004 10:53:25 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------
DOTNETNUKE MULTIPLE VULNERABILITIES
- ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/?429 

1) Source Code & File Access;
Severity : Highly Critical

2) SQL Injection;
Severity : Moderately Critical

3) XSS (Cross Site Scripting);
Severity : Low Critical


- ------------------------------------------------------
ABOUT DOTNETNUKE;
- ------------------------------------------------------
ASP.NET, Open Source Web Portal Application.

URL & Demo & Source Code Download ;
http://www.dotnetnuke.com/


Developer Description;
DotNetNuke ( formerly known as the IBuySpy Workshop ) is an automated
content management system specifically designed to be used in Intranet and
Internet deployments. The Administrator has total control of their web
portal, membership, and has a powerful set of tools to maintain a dynamic
and 100% interactive data-driven web site. 


- ------------------------------------------------------
VULNERABLE;
- ------------------------------------------------------
Any version of DotNetNuke from version 1.0.6 to 1.0.10d 


- ------------------------------------------------------
NOT VULNERABLE;
- ------------------------------------------------------
DotNetNuke 1.0.10e

- ------------------------------------------------------
1) SOURCE CODE & FILE ACCESS;
- ------------------------------------------------------
This one is the biggest problem. Anyone can download files and source codes
with a simple GET request.

Attacker can download "Web.config" and access SQL Server login name and
password. Possible side effect of this if SQL Server running as "sa" user
(and most of developer still use "sa") attacker can simply gain full system
access from remote. 

! Proof of Concept Codes removed because of the possible serious damages.
[Vendor informed with required proof of concepts]

- ------------------------------------------------------
2) SQL INJECTION;
- ------------------------------------------------------
Lots of SQL related actions are vulnerable here, but most of them running as
stored procedure and exploiting is not so easy. Also there is no extra check
for integer fields. 

        ------------------------------------------------------
        Description;
        ------------------------------------------------------
        In "LinkClick.aspx" page "table" and "field" have no control for SQL
Injections.
        Also some of other SQL related functions have the same problem.


        ------------------------------------------------------
        Code;
        ------------------------------------------------------
        ------------------- LinkClick.aspx -------------------
        ' update clicks
        Dim objAdmin As New AdminDB()
        objAdmin.UpdateClicks(Request.Params("table").ToString,
Request.Params("field").ToString,
Integer.Parse(Request.Params("id")),    UserId)

        ------------------- Related Procedure -------------------
        "create procedure UpdateClicks
        select @SQL = 'update ' + @TableName + ' set Clicks = Clicks + 1
where   ' + @KeyField + ' = ' + convert(varchar,@ItemId)"

        ------------------------------------------------------
        Solution;
        ------------------------------------------------------
        (') single quotes in SQL queries have to be replaced.



- ------------------------------------------------------
3) XSS (Cross Site Scripting);
- ------------------------------------------------------
An attacker can steal active session and by "Remember Login" feature
attacker can login as another user at anytime.

        ------------------------------------------------------
        Details;
        ------------------------------------------------------
        PAGE : http://dotnetnuke.com/EditModule.aspx?tabid=510&def=Register
        Input values need to encode.




- ------------------------------------------------------
HOW TO PATCH [provided by vendor];
- ------------------------------------------------------
Online URL :
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=456107
Also required information attached.


- ------------------------------------------------------
FINAL WORDS;
- ------------------------------------------------------
Also other pages looks like have some similiar security problems.
And I want thank you all dotnetnuke team, they fixed problems quickly. 



- -----------------------------------------------------
HISTORY;
- ------------------------------------------------------
Discovered : 12.12.2003
Vendor Informed : 30.01.2004
Published : 28.01.2004

- ------------------------------------------------------
Vendor Status;
- ------------------------------------------------------
Quickly answered and fixed.


Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh () mavituna com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQBd2PTL0QoVzo2STEQIeGACfaMbmCrcX36MJ20aYijvVR5LZ2RAAniev
RpSDbnRrtpZ8ocT5AHs4OsA4
=h8Yp
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:

[ GLSA 200401-04 ] GAIM 0.75 Remote overflows Tim Yamin (Jan 27)
- Dotnetnuke Multiple Vulnerabilities Ferruh Mavituna (Jan 28)