Month Of Abysssec Undisclosed Bugs - IfNuke 4.0.0 XSS / Shell Upload

2010-09-06T00:00:00
ID PACKETSTORM:93512
Type packetstorm
Reporter Abysssec
Modified 2010-09-06T00:00:00

Description

                                        
                                            `'''  
__ __ ____ _ _ ____   
| \/ |/ __ \ /\ | | | | _ \  
| \ / | | | | / \ | | | | |_) |  
| |\/| | | | |/ /\ \| | | | _ <  
| | | | |__| / ____ \ |__| | |_) |  
|_| |_|\____/_/ \_\____/|____/  
  
'''  
  
Abysssec Inc Public Advisory  
  
  
Title : IfNuke Multiple Remote Vulnerabilities  
Affected Version : IfNuke 4.0.0  
Discovery : www.abysssec.com  
Vendor : http://www.ifsoft.net/default.aspx  
  
Demo : http://www.ifsoft.net/default.aspx?portalName=demo  
Download Links : http://ifnuke.codeplex.com/   
  
  
Admin Page : http://Example.com/Login.aspx?PortalName=_default  
  
  
Description :  
===========================================================================================   
This version of IfNuke have Multiple Valnerabilities :  
  
1- arbitrary Upload file  
2- Persistent XSS  
  
  
  
arbitrary Upload file  
===========================================================================================   
  
using this vulnerability you can upload any file with this two ways:  
  
1- http://Example.com/Modules/PreDefinition/PhotoUpload.aspx?AlbumId=1 (the value of AlbumId is necessary)  
  
your files will be in this path:  
http://Example.com/Users/Albums/  
  
with this format (for example):  
Shell.aspx ---> img_634150553723437500.aspx  
  
That 634150553723437500 value is DateTime.Now.Ticks.ToString() and will be built in this file :  
  
http://Example.com/Modules/PreDefinition/PhotoUpload.ascx.cs   
Ln 102 : fileName = "img_" + DateTime.Now.Ticks.ToString() + "." + GetFileExt(userPostedFile.FileName);  
  
  
  
it's possible to do same thing here :  
  
2- http://Example.com/modules/PreDefinition/VideoUpload.aspx  
  
and the same vulnerable code is located here :  
  
http://Example.com/Modules/PreDefinition/VideoUpload.ascx.cs   
Ln 39 : string createdTime = DateTime.Now.ToString("yyyyMMddHHmmssffff");  
string newFileNameWithoutExtension = Path.GetFileNameWithoutExtension(fileName) + "_" + createdTime;  
string uploadFilePath = Server.MapPath(VideoHelper.GetVideoUploadDirectory(CurrentUser.Name) + newFileNameWithoutExtension + Path.GetExtension(fileName));  
  
  
Persistent XSS Vulnerabilities:  
===========================================================================================   
  
In these Modules you can find Persistent XSS that data saves with no sanitization:  
  
1- Module name : Article  
Fields : Title , Description  
Valnerable Code: ...\Modules\PreDefinition\Article.ascx.cs  
ln 106:  
if (S_Title.Text.Trim() != string.Empty)  
{  
parameters.Add("@Title", S_Title.Text.Trim());  
parameters.Add("@Description", S_Title.Text.Trim());  
parameters.Add("@Tags", S_Title.Text.Trim());  
}   
  
--------------------------------------------------------------------------------------  
  
2- Module name : ArticleCategory  
Field : Name  
Valnerable Code: ...\Modules\PreDefinition\ArticleCategory.ascx.cs  
ln 96:  
entity.Name = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtCategoryName_E")).Text.Trim();   
  
--------------------------------------------------------------------------------------  
  
3- Module name : HtmlText  
Field : Text  
Valnerable Code: ...\Modules\PreDefinition\HtmlText.ascx.cs  
ln 66:  
entity.Content = txtContent.Value.Trim().Replace("//",string.Empty);  
  
--------------------------------------------------------------------------------------  
  
4- Module name : LeaveMessage  
Fields : NickName , Content  
Valnerable Code: ...\Modules\PreDefinition\LeaveMessage.ascx.cs  
ln 55:  
entity.NickName = txtNickName.Text.Trim();  
entity.Content = txtContent.Text.Trim();  
  
--------------------------------------------------------------------------------------  
  
5- Module name : Link  
Field : Title  
Valnerable Code: ...\Modules\PreDefinition\Link.ascx.cs  
ln 83:  
entity.Title = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtTitle_E")).Text.Trim();  
  
--------------------------------------------------------------------------------------  
  
6- Module name : Photo  
Field : Title  
Valnerable Code: ...\Modules\PreDefinition\Photo.ascx.cs  
ln 280:  
entity.Title = txtTitle_E.Text.Trim();  
  
  
===========================================================================================  
  
`