Security Advisory ----------------- Advisory Name: Multiple DotNetNuke Cross Site Scripting (XSS) Vulnerabilities Release Date: 16/05/2005 Application: DotNetNuke (Multiple versions affected) Platform: Microsoft Windows Versions Affected: Versions below 3.0.12 Severity: Allows unauthenticated cross site scripting attacks Author: Mark Woan (m.woan[at]eris.qinetiq.com) Vendor Status: Informed and patch available CVE Candidate: CAN-2005-0040 Reference: www.woany.co.uk/advisories/dotnetnukexss.txt Overview: DotNetNuke is an Open Source hybrid of the IBuySpy Portal. Its management team is dedicated to the ongoing management of core portal application enhancements. DotNetNuke provides automated content management capabilities and tools to maintain a dynamic and 100% interactive data-driven web site. Details: Issue 1 (XSS) ------------- There is a vulnerability caused by the lack of input validation when registering a new user within a DotNetNuke portal. An attacker could use a cross site scripting (XSS) attack when registering a new user, when the View All User Details page the malicious code will be executed, resulting in the capture of Administrative session credentials. Versions prior to 3.0.12 appear to be vulnerable. Issue 2 (Secondary XSS) ----------------------- The User-Agent string sent with each request is stored for logging purposes. This data comes from the client and cannot be trusted, and therefore must be sanitised. An attacker could set the User-Agent string for the request to malicious script code, which would be logged and executed when any logs are viewed that contain the User-Agent field. This attack can be utilised by an unauthenticated user simply requesting the root page. Issue 3 (Secondary XSS) ----------------------- The failed logon Username is stored and displayed on the Log Viewer page. An attacker can send a Logon request with malicious script set as the parameter value, the script passed in the parameter will be executed when an Administrative user views the Log Viewer page or any log page that displays the failed logon Username. Vendor Response: 05-01-2005 Contacted core development team via email 10-01-2005 Response from vendor received and confirmed 10-01-2005 Second mail sent regarding more issues 13-01-2005 Sent email asking for confirmation of second email (No vendor response) 12-03-2005 DotNetNuke v3.0.12 released (All reported security issues fixed) Recommendations: Users should install DotNetNuke v3.0.12 or greater. Notes: Thanks to NISCC (www.niscc.gov.uk) for their help assigning the CVE reference.