Vulnerability in DotNetNuke Could Allow Arbitrary Script Execution

Executive Summary

Microsoft is providing notification of the discovery and remediation of a vulnerability affecting DotNetNuke 6.0.0 through version 6.0.2. Microsoft discovered and disclosed the vulnerability under coordinated vulnerability disclosure to the affected vendor, DotNetNuke. DotNetNuke has remediated the vulnerability in their software.

The vulnerability exists in the way that affected versions of DotNetNuke validate script information included within a specially crafted URL. A specially crafted URL can be constructed allowing the JavaScript for the modal popup to be polluted with attacker-controlled script creating a reflected cross-site scripting condition.

Microsoft Vulnerability Research reported this issue to and coordinated with DotNetNuke to ensure remediation of this issue. The vulnerability has been assigned the entry, CVE-2012-1030, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from DotNetNuke, see DotNetNuke Security Bulletin 62.

Mitigating Factors

• An attacker must convince a victim to click a specially crafted URL.
• DotNetNuke uses the HTTPOnly attribute on authentication cookies. An attacker could cause arbitrary script to execute, but due to the HTTPOnly attribute, an attacker would be prevented from accessing authentication cookies through client-side script.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.