Security Advisory
               -----------------


    Advisory Name: Multiple DotNetNuke Cross Site Scripting (XSS)
Vulnerabilities
     Release Date: 16/05/2005
      Application: DotNetNuke (Multiple versions affected)
         Platform: Microsoft Windows
Versions Affected: Versions below 3.0.12
         Severity: Allows unauthenticated cross site scripting attacks
           Author: Mark Woan (m.woan[at]eris.qinetiq.com)
    Vendor Status: Informed and patch available
    CVE Candidate: CAN-2005-0040
        Reference: www.woany.co.uk/advisories/dotnetnukexss.txt


Overview:

DotNetNuke is an Open Source hybrid of the IBuySpy Portal. Its management
team is dedicated to the ongoing management of core portal application
enhancements. 
DotNetNuke provides automated content management capabilities and tools to
maintain a dynamic and 100% interactive data-driven web site.


Details:

Issue 1 (XSS)
-------------
There is a vulnerability caused by the lack of input validation when
registering a new user within a DotNetNuke portal. An attacker could use a
cross site scripting
(XSS) attack when registering a new user, when the View All User Details
page the malicious code will be executed, resulting in the capture of
Administrative session credentials. Versions prior to 3.0.12 appear to be
vulnerable. 

Issue 2 (Secondary XSS)
-----------------------
The User-Agent string sent with each request is stored for logging purposes.
This data comes from the client and cannot be trusted, and therefore must be
sanitised. 
An attacker could set the User-Agent string for the request to malicious
script code, which would be logged and executed when any logs are viewed
that contain the User-Agent field. This attack can be utilised by an
unauthenticated user simply requesting the root page. 

Issue 3 (Secondary XSS)
-----------------------
The failed logon Username is stored and displayed on the Log Viewer page. An
attacker can send a Logon request with malicious script set as the parameter
value, the script passed in the parameter will be executed when an
Administrative user views the Log Viewer page or any log page that displays
the failed logon Username.


Vendor Response:

05-01-2005 Contacted core development team via email
10-01-2005 Response from vendor received and confirmed
10-01-2005 Second mail sent regarding more issues
13-01-2005 Sent email asking for confirmation of second email (No vendor
response)
12-03-2005 DotNetNuke v3.0.12 released (All reported security issues fixed)


Recommendations:

Users should install DotNetNuke v3.0.12 or greater.


Notes:
Thanks to NISCC (www.niscc.gov.uk) for their help assigning the CVE
reference.