[Full-disclosure] DotNetNuke HTML Code Injection

2006-09-20T00:00:00
ID SECURITYVULNS:DOC:14348
Type securityvulns
Reporter Securityvulns
Modified 2006-09-20T00:00:00

Description

Security Advisory: VULN20-09-2006 - http://www.secureshapes.com/advisories/vuln20-09-2006.htm

Vendor Security Bulletin: http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin no3/tabid/990/Default.aspx

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DotNetNuke - HTML Code Injection Vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Date: 20/09/2006

  • Severity: Low

  • Impact: Code Injection

  • Solution Status: Vendor Patch

  • Version: All versions of DotNetNuke

  • Vendor Website: http://dotnetnuke.com/

:: ABOUT THE SOFTWARE

DotNetNuke® is an Open Source Framework ideal for creating Enterprise Web Applications.

Unfortunately, DotNetNuke is vulnerable to HTML code injection.

:: TECHNICAL DESCRIPTION

The error variable available in the URL can be manipulated and it is possible to inject HTML code.

Example:

http://xxxxxx/Default.aspx?tabid=510&error=The+state+information+is+invalid+ for+this+page+and+might+be+corrupted

It is possible to inject HTML code in that error variable.

In particular, it also possible to reproduce the character "space" inserting some complete HTML tags such as <script></script> and/or <form></form> in the injected code. This will allow the attacker to specify attributes in the HTML tags.

Example:

http://xxxxxxxxxxxx/Default.aspx?tabid=510&error="<script></script>/><iframe <script></script>src=http://www.google.com>

or

http://xxxxxxxxxxxx/Default.aspx?tabid=510&error="<form></form>/><iframe<for m></form>src=http://www.google.com>

In the HTML source code, this injection will result:

<form name="Form" method="post" action="/Default.aspx?tabid=510&error=" /><iframe src=http://www.google.com>" id="Form" enctype="multipart/form-data" style="height: 100%;">

The space in the HTML code between iframe and src is generated because of the complete tag injected previously.

:: VENDOR RESPONSE

The vendor security bulletin link is:

http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin no3/tabid/990/Default.aspx

The patches are available here:

http://www.dotnetnuke.com/tabid/125/default.aspx - registration needed in order to download them

:: DISCLOSURE TIMEFRAME

04/09/2006 - Preliminary Vendor notification.

06/09/2006 - Vulnerability confirmed in all versions

17/06/2006 - DotNetNuke releases version 3.3.5 and 4.3.5 with fix

20/09/2006 - Coordinated public release.

Total Time to Fix: 13 days

:: CREDIT

The vulnerability was discovered by Roberto Suggi Liverani and Antonio Spera of Secure Shapes.

~~~~~~~~~~~~~~~~~~~

About Secure Shapes

~~~~~~~~~~~~~~~~~~~

Secure Shapes Ltd provides vulnerability assessments , website penetration testing , network penetration testing and security consultancy.

E-mail: contact [at] secureshapes.com


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/