IfNuke Multiple Remote Vulnerabilities

Posted on 05 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>IfNuke Multiple Remote Vulnerabilities </title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================
IfNuke Multiple Remote Vulnerabilities
====================================== 

Title            :  IfNuke Multiple Remote Vulnerabilities
  Affected Version :  IfNuke 4.0.0
  Discovery        :  www.abysssec.com
  Vendor       :  http://www.ifsoft.net/default.aspx
 
  Demo         :  http://www.ifsoft.net/default.aspx?portalName=demo
  Download Links   :  http://ifnuke.codeplex.com/            
               
 
  Admin Page       :  http://Example.com/Login.aspx?PortalName=_default
   
  
Description :
===========================================================================================     
  This version of IfNuke have Multiple Valnerabilities :
 
        1- arbitrary Upload file
    2- Persistent XSS
 
 
 
arbitrary Upload file
===========================================================================================    
 
  using this vulnerability you can upload any file with this two ways:
   
  1- http://Example.com/Modules/PreDefinition/PhotoUpload.aspx?AlbumId=1   (the value of AlbumId is necessary)
         
     your files will be in this path:
           http://Example.com/Users/Albums/
 
     with this format (for example):
           Shell.aspx ---&gt; img_634150553723437500.aspx
 
That 634150553723437500 value is DateTime.Now.Ticks.ToString() and will be built in this file :
 
           http://Example.com/Modules/PreDefinition/PhotoUpload.ascx.cs          
           Ln 102 : fileName = &quot;img_&quot; + DateTime.Now.Ticks.ToString() + &quot;.&quot; + GetFileExt(userPostedFile.FileName);
 
 
 
it's possible to do same thing here :
         
  2- http://Example.com/modules/PreDefinition/VideoUpload.aspx
 
   and the same vulnerable code is located here :
 
           http://Example.com/Modules/PreDefinition/VideoUpload.ascx.cs         
           Ln 39 : string createdTime = DateTime.Now.ToString(&quot;yyyyMMddHHmmssffff&quot;);
                   string newFileNameWithoutExtension = Path.GetFileNameWithoutExtension(fileName) + &quot;_&quot; + createdTime;
               string uploadFilePath = Server.MapPath(VideoHelper.GetVideoUploadDirectory(CurrentUser.Name) + newFileNameWithoutExtension + Path.GetExtension(fileName));
 
 
Persistent XSS Vulnerabilities:
===========================================================================================    
    
  In these Modules you can find Persistent XSS that data saves with no sanitization:
 
  1- Module name    : Article
     Fields         : Title , Description
     Valnerable Code: ...ModulesPreDefinitionArticle.ascx.cs
     ln 106:
            if (S_Title.Text.Trim() != string.Empty)
             {
                parameters.Add(&quot;@Title&quot;, S_Title.Text.Trim());
                parameters.Add(&quot;@Description&quot;, S_Title.Text.Trim());
                parameters.Add(&quot;@Tags&quot;, S_Title.Text.Trim());
             }  
 
     --------------------------------------------------------------------------------------
     
  2- Module name    : ArticleCategory
     Field          : Name
     Valnerable Code: ...ModulesPreDefinitionArticleCategory.ascx.cs
     ln 96:
           entity.Name = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl(&quot;txtCategoryName_E&quot;)).Text.Trim();    
 
     --------------------------------------------------------------------------------------
     
  3- Module name    : HtmlText
     Field          : Text
     Valnerable Code: ...ModulesPreDefinitionHtmlText.ascx.cs
     ln 66:
           entity.Content = txtContent.Value.Trim().Replace(&quot;//&quot;,string.Empty);
 
     --------------------------------------------------------------------------------------
     
  4- Module name    : LeaveMessage
     Fields         : NickName , Content
     Valnerable Code: ...ModulesPreDefinitionLeaveMessage.ascx.cs
     ln 55:
           entity.NickName = txtNickName.Text.Trim();
           entity.Content = txtContent.Text.Trim();
 
     --------------------------------------------------------------------------------------
     
  5- Module name    : Link
     Field          : Title
     Valnerable Code: ...ModulesPreDefinitionLink.ascx.cs
     ln 83:
           entity.Title = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl(&quot;txtTitle_E&quot;)).Text.Trim();
 
     --------------------------------------------------------------------------------------
         
  6- Module name    : Photo
     Field          : Title
     Valnerable Code: ...ModulesPreDefinitionPhoto.ascx.cs
     ln 280:
           entity.Title = txtTitle_E.Text.Trim();
      
 
===========================================================================================


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-05]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

None in database
Last 20
Exploits :

Last 20