Dotnetnuke Multiple Vulnerabilities

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Dotnetnuke Multiple Vulnerabilities
From: "Ferruh Mavituna" <ferruh@xxxxxxxxxxxx>
Date: Fri, 6 Feb 2004 14:20:29 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcPsq5uYZba/J7fmQiCROGM0Ad6Kzg==

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------
DOTNETNUKE MULTIPLE VULNBERABILITIES
- - ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/?429 

1) Source Code & File Access;
Severity : Highly Critical

2) XSS (Cross Site Scripting);
Severity : Low Critical


- - ------------------------------------------------------
ABOUT DOTNETNUKE;
- - ------------------------------------------------------
ASP.NET, Open Source Web Portal Application.

URL & Demo & Source Code Download ;
http://www.dotnetnuke.com/


Developer Description;
DotNetNuke ( formerly known as the IBuySpy Workshop ) is an automated
content management system specifically designed to be used in
Intranet and Internet deployments. The Administrator has total
control of their web portal, membership, and has a powerful set of
tools to maintain a dynamic and 100% interactive data-driven web
site. 


- - ------------------------------------------------------
VULNERABLE;
- - ------------------------------------------------------
Any version of DotNetNuke from version 1.0.6 to 1.0.10d 


- - ------------------------------------------------------
NOT VULNERABLE;
- - ------------------------------------------------------
DotNetNuke 1.0.10e

- - ------------------------------------------------------
1) SOURCE CODE & FILE ACCESS;
- - ------------------------------------------------------
This one is the biggest problem. Anyone can download files and source
codes with a simple GET request.

! Proof of Concept Codes removed because of the possible serious
damages. [Vendor informed with required proof of concepts]


- - ------------------------------------------------------
2) XSS (Cross Site Scripting);
- - ------------------------------------------------------
An attacker can steal active session and by "Remember Login" feature
attacker can login as another user at anytime.

        ------------------------------------------------------
        Details;
        ------------------------------------------------------
        PAGE : http://[VICTIM]/EditModule.aspx?tabid=510&def=Register
        Input values need to encode.




- - ------------------------------------------------------
HOW TO PATCH [provided by vendor];
- - ------------------------------------------------------
Online URL :
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=456107
Also required information attached.


- - ------------------------------------------------------
FINAL WORDS;
- - ------------------------------------------------------
Also other pages looks like have some similar security problems.
And I want thank you all dotnetnuke team, they fixed problems
quickly. 



- - -----------------------------------------------------
HISTORY;
- - ------------------------------------------------------
Discovered: 12.12.2003
Vendor Informed: 30.01.2004
Published: 28.01.2004

- - ------------------------------------------------------
Vendor Status;
- - ------------------------------------------------------
Quickly answered and fixed.


Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh@xxxxxxxxxxxx


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCOGgTL0QoVzo2STEQKpbQCgghJMYBcyxFjL3BuYM9AYCSAZzAwAn1hF
TXQQbATmKndanAXaOx8jfedA
=Khhg
-----END PGP SIGNATURE-----

Prev by Date: Re: Hysterical first technical alert from US-CERT
Next by Date: Re: RFC: virus handling
Previous by thread: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow
Next by thread: Re: Decompression Bombs [...missed something]
Index(es):
- Date
- Thread