DotNetNuke Multiple Vulnerabilities

------------------------------------------------------ DOTNETNUKE MULTIPLE VULNBERABILITIES ------------------------------------------------------ Online URL : http://ferruh.mavituna.com/?429 1) Source Code & File Access; Severity : Highly Critical 2) XSS (Cross Site Scripting); Severity : Low Critical ------------------------------------------------------ ABOUT DOTNETNUKE; ------------------------------------------------------ ASP.NET, Open Source Web Portal Application. URL & Demo & Source Code Download ; http://www.dotnetnuke.com/ Developer Description; DotNetNuke ( formerly known as the IBuySpy Workshop ) is an automated content management system specifically designed to be used in Intranet and Internet deployments. The Administrator has total control of their web portal, membership, and has a powerful set of tools to maintain a dynamic and 100% interactive data-driven web site. ------------------------------------------------------ VULNERABLE; ------------------------------------------------------ Any version of DotNetNuke from version 1.0.6 to 1.0.10d ------------------------------------------------------ NOT VULNERABLE; ------------------------------------------------------ DotNetNuke 1.0.10e ------------------------------------------------------ 1) SOURCE CODE & FILE ACCESS; ------------------------------------------------------ This one is the biggest problem. Anyone can download files and source codes with a simple GET request. ! Proof of Concept Codes removed because of the possible serious damages. [Vendor informed with required proof of concepts] ------------------------------------------------------ 2) XSS (Cross Site Scripting); ------------------------------------------------------ An attacker can steal active session and by "Remember Login" feature attacker can login as another user at anytime. ------------------------------------------------------ Details; ------------------------------------------------------ PAGE : http://dotnetnuke.com/EditModule.aspx?tabid=510&def=Register Input values need to encode. ------------------------------------------------------ HOW TO PATCH [provided by vendor]; ------------------------------------------------------ Online URL : http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=456107 Also required informations attached. ------------------------------------------------------ FINAL WORDS; ------------------------------------------------------ Also other pages looks like have some similiar security problems. And I want thank you all dotnetnuke team, They fixed problems quickly. ----------------------------------------------------- HISTORY; ------------------------------------------------------ Discovered : 12.12.2003 Vendor Informed : 30.01.2004 Published : 28.01.2004 ------------------------------------------------------ Vendor Status; ------------------------------------------------------ Quickly answered and fixed. Ferruh Mavituna Web Application Security Specialist http://ferruh.mavituna.com