DotNetNuke Multiple Input Validation Flaws Disclose Files to Remote Users and Permit SQL Injection
|
|
SecurityTracker Alert ID: 1008874
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 28 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.0.6 to 1.0.10d
|
Description: Several vulnerabilities were reported in DotNetNuke. A remote user can view files on the system. A remote user can also inject SQL commands and conduct cross-site scripting attacks.
Ferruh Mavituna reported that a remote user can supply a specially crafted HTTP GET request to download files and forum source code
from the target system. One file that can be downloaded is the 'Web.config' file that contains the username and password for the
SQL server, the report said.
It is also reported that a remote user can inject certain SQL commands, as the 'table' and 'field'
variables in 'LinkClick.aspx' are not properly validated.
It is also reported that the registration page does not filter HTML
code from user-supplied input before displaying the information. A remote user can create a specially crafted URL that, when loaded
by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from
the site running the DotNetNuke software and will run in the security context of that site. As a result, the code will be able to
access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted
by the target user via web form to the site, or take actions on the site acting as the target user.
|
Impact: A remote user can view files on the system with the privileges of the web service.
A remote user can inject SQL commands to be
executed by the underlying database.
A remote user can access the target user's cookies (including authentication cookies), if
any, associated with the site running the DotNetNuke software, access data recently submitted by the target user via web form to
the site, or take actions on the site acting as the target user.
|
Solution: The vendor has released a fixed version (1.0.10e), available at:
http://www.dotnetnuke.com/DesktopDefault.aspx?tabid=125
|
Vendor URL: www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=456107 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: "Ferruh Mavituna" <ferruh@mavituna.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 28 Jan 2004 10:53:25 +0200
From: "Ferruh Mavituna" <ferruh@mavituna.com>
Subject: [Full-Disclosure] Dotnetnuke Multiple Vulnerabilities
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------
DOTNETNUKE MULTIPLE VULNERABILITIES
- ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/?429
1) Source Code & File Access;
Severity : Highly Critical
2) SQL Injection;
Severity : Moderately Critical
3) XSS (Cross Site Scripting);
Severity : Low Critical
- ------------------------------------------------------
ABOUT DOTNETNUKE;
- ------------------------------------------------------
ASP.NET, Open Source Web Portal Application.
URL & Demo & Source Code Download ;
http://www.dotnetnuke.com/
Developer Description;
DotNetNuke ( formerly known as the IBuySpy Workshop ) is an automated
content management system specifically designed to be used in Intranet and
Internet deployments. The Administrator has total control of their web
portal, membership, and has a powerful set of tools to maintain a dynamic
and 100% interactive data-driven web site.
- ------------------------------------------------------
VULNERABLE;
- ------------------------------------------------------
Any version of DotNetNuke from version 1.0.6 to 1.0.10d
- ------------------------------------------------------
NOT VULNERABLE;
- ------------------------------------------------------
DotNetNuke 1.0.10e
- ------------------------------------------------------
1) SOURCE CODE & FILE ACCESS;
- ------------------------------------------------------
This one is the biggest problem. Anyone can download files and source codes
with a simple GET request.
Attacker can download "Web.config" and access SQL Server login name and
password. Possible side effect of this if SQL Server running as "sa" user
(and most of developer still use "sa") attacker can simply gain full system
access from remote.
! Proof of Concept Codes removed because of the possible serious damages.
[Vendor informed with required proof of concepts]
- ------------------------------------------------------
2) SQL INJECTION;
- ------------------------------------------------------
Lots of SQL related actions are vulnerable here, but most of them running as
stored procedure and exploiting is not so easy. Also there is no extra check
for integer fields.
------------------------------------------------------
Description;
------------------------------------------------------
In "LinkClick.aspx" page "table" and "field" have no control for SQL
Injections.
Also some of other SQL related functions have the same problem.
------------------------------------------------------
Code;
------------------------------------------------------
------------------- LinkClick.aspx -------------------
' update clicks
Dim objAdmin As New AdminDB()
objAdmin.UpdateClicks(Request.Params("table").ToString,
Request.Params("field").ToString,
Integer.Parse(Request.Params("id")), UserId)
------------------- Related Procedure -------------------
"create procedure UpdateClicks
select @SQL = 'update ' + @TableName + ' set Clicks = Clicks + 1
where ' + @KeyField + ' = ' + convert(varchar,@ItemId)"
------------------------------------------------------
Solution;
------------------------------------------------------
(') single quotes in SQL queries have to be replaced.
- ------------------------------------------------------
3) XSS (Cross Site Scripting);
- ------------------------------------------------------
An attacker can steal active session and by "Remember Login" feature
attacker can login as another user at anytime.
------------------------------------------------------
Details;
------------------------------------------------------
PAGE : http://dotnetnuke.com/EditModule.aspx?tabid=510&def=Register
Input values need to encode.
- ------------------------------------------------------
HOW TO PATCH [provided by vendor];
- ------------------------------------------------------
Online URL :
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=456107
Also required information attached.
- ------------------------------------------------------
FINAL WORDS;
- ------------------------------------------------------
Also other pages looks like have some similiar security problems.
And I want thank you all dotnetnuke team, they fixed problems quickly.
- -----------------------------------------------------
HISTORY;
- ------------------------------------------------------
Discovered : 12.12.2003
Vendor Informed : 30.01.2004
Published : 28.01.2004
- ------------------------------------------------------
Vendor Status;
- ------------------------------------------------------
Quickly answered and fixed.
Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com
ferruh@mavituna.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQBd2PTL0QoVzo2STEQIeGACfaMbmCrcX36MJ20aYijvVR5LZ2RAAniev
RpSDbnRrtpZ8ocT5AHs4OsA4
=h8Yp
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
