Full Disclosure mailing list archives
DotNetNuke HTML Code Injection
From: contact () secureshapes com
Date: Wed, 20 Sep 2006 03:08:49 -0400
Security Advisory: VULN20-09-2006 - http://www.secureshapes.com/advisories/vuln20-09-2006.htm Vendor Security Bulletin: http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin no3/tabid/990/Default.aspx ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DotNetNuke - HTML Code Injection Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Date: 20/09/2006 * Severity: Low * Impact: Code Injection * Solution Status: Vendor Patch * Version: All versions of DotNetNuke * Vendor Website: http://dotnetnuke.com/ :: ABOUT THE SOFTWARE DotNetNuke® is an Open Source Framework ideal for creating Enterprise Web Applications. Unfortunately, DotNetNuke is vulnerable to HTML code injection. :: TECHNICAL DESCRIPTION The error variable available in the URL can be manipulated and it is possible to inject HTML code. Example: http://xxxxxx/Default.aspx?tabid=510&error=The+state+information+is+invalid+ for+this+page+and+might+be+corrupted It is possible to inject HTML code in that error variable. In particular, it also possible to reproduce the character "space" inserting some complete HTML tags such as <script></script> and/or <form></form> in the injected code. This will allow the attacker to specify attributes in the HTML tags. Example: http://xxxxxxxxxxxx/Default.aspx?tabid=510&error="<script></script>/><iframe <script></script>src=http://www.google.com> or http://xxxxxxxxxxxx/Default.aspx?tabid=510&error="<form></form>/><iframe<for m></form>src=http://www.google.com> In the HTML source code, this injection will result: <form name="Form" method="post" action="/Default.aspx?tabid=510&error=" /><iframe src=http://www.google.com>" id="Form" enctype="multipart/form-data" style="height: 100%;"> The space in the HTML code between iframe and src is generated because of the complete tag injected previously. :: VENDOR RESPONSE The vendor security bulletin link is: http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin no3/tabid/990/Default.aspx The patches are available here: http://www.dotnetnuke.com/tabid/125/default.aspx - registration needed in order to download them :: DISCLOSURE TIMEFRAME 04/09/2006 - Preliminary Vendor notification. 06/09/2006 - Vulnerability confirmed in all versions 17/06/2006 - DotNetNuke releases version 3.3.5 and 4.3.5 with fix 20/09/2006 - Coordinated public release. Total Time to Fix: 13 days :: CREDIT The vulnerability was discovered by Roberto Suggi Liverani and Antonio Spera of Secure Shapes. ~~~~~~~~~~~~~~~~~~~ About Secure Shapes ~~~~~~~~~~~~~~~~~~~ Secure Shapes Ltd provides vulnerability assessments , website penetration testing , network penetration testing and security consultancy. E-mail: contact [at] secureshapes.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DotNetNuke HTML Code Injection contact (Sep 20)