-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------ DOTNETNUKE MULTIPLE VULNBERABILITIES - - ------------------------------------------------------ Online URL : http://ferruh.mavituna.com/?429 1) Source Code & File Access; Severity : Highly Critical 2) XSS (Cross Site Scripting); Severity : Low Critical - - ------------------------------------------------------ ABOUT DOTNETNUKE; - - ------------------------------------------------------ ASP.NET, Open Source Web Portal Application. URL & Demo & Source Code Download ; http://www.dotnetnuke.com/ Developer Description; DotNetNuke ( formerly known as the IBuySpy Workshop ) is an automated content management system specifically designed to be used in Intranet and Internet deployments. The Administrator has total control of their web portal, membership, and has a powerful set of tools to maintain a dynamic and 100% interactive data-driven web site. - - ------------------------------------------------------ VULNERABLE; - - ------------------------------------------------------ Any version of DotNetNuke from version 1.0.6 to 1.0.10d - - ------------------------------------------------------ NOT VULNERABLE; - - ------------------------------------------------------ DotNetNuke 1.0.10e - - ------------------------------------------------------ 1) SOURCE CODE & FILE ACCESS; - - ------------------------------------------------------ This one is the biggest problem. Anyone can download files and source codes with a simple GET request. ! Proof of Concept Codes removed because of the possible serious damages. [Vendor informed with required proof of concepts] - - ------------------------------------------------------ 2) XSS (Cross Site Scripting); - - ------------------------------------------------------ An attacker can steal active session and by "Remember Login" feature attacker can login as another user at anytime. ------------------------------------------------------ Details; ------------------------------------------------------ PAGE : http://[VICTIM]/EditModule.aspx?tabid=510&def=Register Input values need to encode. - - ------------------------------------------------------ HOW TO PATCH [provided by vendor]; - - ------------------------------------------------------ Online URL : http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=456107 Also required information attached. - - ------------------------------------------------------ FINAL WORDS; - - ------------------------------------------------------ Also other pages looks like have some similar security problems. And I want thank you all dotnetnuke team, they fixed problems quickly. - - ----------------------------------------------------- HISTORY; - - ------------------------------------------------------ Discovered: 12.12.2003 Vendor Informed: 30.01.2004 Published: 28.01.2004 - - ------------------------------------------------------ Vendor Status; - - ------------------------------------------------------ Quickly answered and fixed. Ferruh Mavituna Web Application Security Specialist http://ferruh.mavituna.com ferruh@mavituna.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQCOGgTL0QoVzo2STEQKpbQCgghJMYBcyxFjL3BuYM9AYCSAZzAwAn1hF TXQQbATmKndanAXaOx8jfedA =Khhg -----END PGP SIGNATURE-----