Vulnerability in DotNetNuke Could Allow Arbitrary Script Execution

ID MSVR12-002
Type msvr
Reporter Microsoft Vulnerability Research
Modified 2012-02-21T00:00:00


Executive Summary

Microsoft is providing notification of the discovery and remediation of a vulnerability affecting DotNetNuke 6.0.2 and earlier versions. Microsoft discovered and disclosed the vulnerability under coordinated vulnerability disclosure to the affected vendor, DotNetNuke. DotNetNuke has remediated the vulnerability in their software.

The vulnerability exists in the way that affected versions of DotNetNuke handle specially crafted HTML that contains JavaScript. Under certain conditions, specially crafted HTML that contains JavaScript can bypass the cross-site scripting filtering that is performed in the telerik HTML editor, resulting in several persistent cross-site scripting conditions. In addition, with the inclusion of the messaging component in DotNetNuke 5.5.0 and later affected versions, an attacker could attempt to exploit the vulnerability by sending a specially crafted message to a user. When the message is read by the user, arbitrary script could be executed in the context of the current user.

Microsoft Vulnerability Research reported this issue to and coordinated with DotNetNuke to ensure remediation of this issue. The vulnerability has been assigned the entry, CVE-2012-1036, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from DotNetNuke, see DotNetNuke Security Bulletin 59.

Mitigating Factors

  • Versions of DotNetNuke prior to 5.5.0 do not have access to the messaging component. Without access to the messaging component, an attacker would need access (and edit permissions) to an HTML module to successfully exploit the vulnerability and execute arbitrary code.
  • Sites that have removed the messaging component in DotNetNuke could be impacted less by this issue.
  • DotNetNuke uses the HTTPOnly attribute on authentication cookies. An attacker could cause arbitrary script to execute, but due to the HTTPOnly attribute, an attacker would be prevented from accessing authentication cookies through client-side script.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.