September 29, 2006

DotNetNuke - HTML Code Injection Vulnerability

Posted by Roberto Suggi Liverani at 9:53 AM / Labels:

Security advisory

Security Advisory: VULN20-09-2006

Vendor Security: Bulletin: Link


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DotNetNuke - HTML Code Injection Vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


* Date: 20/09/2006

* Severity: Low

* Impact: Code Injection

* Solution Status: Vendor Patch

* Version: All versions of DotNetNuke

* Vendor Website: http://dotnetnuke.com/

:: ABOUT THE SOFTWARE


DotNetNuke® is an Open Source Framework ideal for creating Enterprise Web Applications.

Unfortunately, DotNetNuke is vulnerable to HTML code injection.


:: TECHNICAL DESCRIPTION

The error variable available in the URL can be manipulated and it is possible to inject HTML code.

Example:

http://xxxxxx/Default.aspx?tabid=510&error=

It is possible to inject HTML code in that error variable (error).

In particular, it also possible to reproduce the character "space" inserting some complete HTML tags  such as <script></script> and/or <form></form> in the injected code. This will allow the attacker to specify attributes in the HTML tags.


Example:

error="<script></script>/><iframe<script>
</script>src=http://www.google.com>

or

error="<form></form>/><iframe<form>
</form>src=http://www.google.com>


In the HTML source code, this injection will result:


<form name="Form" method="post" action="/Default.aspx?tabid=510&error=" /><iframe src=http://www.google.com>" id="Form" enctype="multipart/form-data" style="height: 100%;">


The space in the HTML code between iframe and src is generated because of the complete tag injected previously.


:: SCREENSHOT




:: VENDOR RESPONSE


The vendor security bulletin: Link

The patches are available here: Link - registration needed in order to download them


:: DISCLOSURE TIMEFRAME


04/09/2006 - Preliminary Vendor notification.

06/09/2006 - Vulnerability confirmed in all versions

17/06/2006 - DotNetNuke releases version 3.3.5 and 4.3.5 with fix

20/09/2006 - Coordinated public release.

Total Time to Fix: 13 days


:: CREDIT

The vulnerability was discovered by Roberto Suggi Liverani.

Share - permalink - Comment/Contact me
Subscribe to: Posts (RSS)