Vulners
Lucene search
ifnuke - Multiple Vulnerabilities (0day)
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
'''
Abysssec Inc Public Advisory
Title : IfNuke Multiple Remote Vulnerabilities
Affected Version : IfNuke 4.0.0
Discovery : www.abysssec.com
Vendor : http://www.ifsoft.net/default.aspx
Demo : http://www.ifsoft.net/default.aspx?portalName=demo
Download Links : http://ifnuke.codeplex.com/
Admin Page : http://Example.com/Login.aspx?PortalName=_default
Description :
===========================================================================================
This version of IfNuke have Multiple Valnerabilities :
1- arbitrary Upload file
2- Persistent XSS
arbitrary Upload file
===========================================================================================
using this vulnerability you can upload any file with this two ways:
1- http://Example.com/Modules/PreDefinition/PhotoUpload.aspx?AlbumId=1 (the value of AlbumId is necessary)
your files will be in this path:
http://Example.com/Users/Albums/
with this format (for example):
Shell.aspx ---> img_634150553723437500.aspx
That 634150553723437500 value is DateTime.Now.Ticks.ToString() and will be built in this file :
http://Example.com/Modules/PreDefinition/PhotoUpload.ascx.cs
Ln 102 : fileName = "img_" + DateTime.Now.Ticks.ToString() + "." + GetFileExt(userPostedFile.FileName);
it's possible to do same thing here :
2- http://Example.com/modules/PreDefinition/VideoUpload.aspx
and the same vulnerable code is located here :
http://Example.com/Modules/PreDefinition/VideoUpload.ascx.cs
Ln 39 : string createdTime = DateTime.Now.ToString("yyyyMMddHHmmssffff");
string newFileNameWithoutExtension = Path.GetFileNameWithoutExtension(fileName) + "_" + createdTime;
string uploadFilePath = Server.MapPath(VideoHelper.GetVideoUploadDirectory(CurrentUser.Name) + newFileNameWithoutExtension + Path.GetExtension(fileName));
Persistent XSS Vulnerabilities:
===========================================================================================
In these Modules you can find Persistent XSS that data saves with no sanitization:
1- Module name : Article
Fields : Title , Description
Valnerable Code: ...\Modules\PreDefinition\Article.ascx.cs
ln 106:
if (S_Title.Text.Trim() != string.Empty)
{
parameters.Add("@Title", S_Title.Text.Trim());
parameters.Add("@Description", S_Title.Text.Trim());
parameters.Add("@Tags", S_Title.Text.Trim());
}
--------------------------------------------------------------------------------------
2- Module name : ArticleCategory
Field : Name
Valnerable Code: ...\Modules\PreDefinition\ArticleCategory.ascx.cs
ln 96:
entity.Name = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtCategoryName_E")).Text.Trim();
--------------------------------------------------------------------------------------
3- Module name : HtmlText
Field : Text
Valnerable Code: ...\Modules\PreDefinition\HtmlText.ascx.cs
ln 66:
entity.Content = txtContent.Value.Trim().Replace("//",string.Empty);
--------------------------------------------------------------------------------------
4- Module name : LeaveMessage
Fields : NickName , Content
Valnerable Code: ...\Modules\PreDefinition\LeaveMessage.ascx.cs
ln 55:
entity.NickName = txtNickName.Text.Trim();
entity.Content = txtContent.Text.Trim();
--------------------------------------------------------------------------------------
5- Module name : Link
Field : Title
Valnerable Code: ...\Modules\PreDefinition\Link.ascx.cs
ln 83:
entity.Title = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtTitle_E")).Text.Trim();
--------------------------------------------------------------------------------------
6- Module name : Photo
Field : Title
Valnerable Code: ...\Modules\PreDefinition\Photo.ascx.cs
ln 280:
entity.Title = txtTitle_E.Text.Trim();
===========================================================================================
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1