Security Advisory: VULN20-09-2006 - 
http://www.secureshapes.com/advisories/vuln20-09-2006.htm 

Vendor Security Bulletin: 
http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin 
no3/tabid/990/Default.aspx 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

DotNetNuke - HTML Code Injection Vulnerability 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

* Date: 20/09/2006 

* Severity: Low 

* Impact: Code Injection 

* Solution Status: Vendor Patch 

* Version: All versions of DotNetNuke 

* Vendor Website: http://dotnetnuke.com/ 

:: ABOUT THE SOFTWARE 

DotNetNuke® is an Open Source Framework ideal for creating Enterprise Web 
Applications. 

Unfortunately, DotNetNuke is vulnerable to HTML code injection. 

:: TECHNICAL DESCRIPTION 

The error variable available in the URL can be manipulated and it is 
possible to inject HTML code. 

Example: 

http://xxxxxx/Default.aspx?tabid=510&error=The+state+information+is+invalid+ 
for+this+page+and+might+be+corrupted 

It is possible to inject HTML code in that error variable. 

In particular, it also possible to reproduce the character "space" inserting 
some complete HTML tags  such as <script></script> and/or <form></form> in 
the injected code. This will allow the attacker to specify attributes in the 
HTML tags. 

Example: 

http://xxxxxxxxxxxx/Default.aspx?tabid=510&error="<script></script>/><iframe 
<script></script>src=http://www.google.com> 

or 

http://xxxxxxxxxxxx/Default.aspx?tabid=510&error="<form></form>/><iframe<for 
m></form>src=http://www.google.com> 

In the HTML source code, this injection will result: 

<form name="Form" method="post" action="/Default.aspx?tabid=510&error=" 
/><iframe src=http://www.google.com>" id="Form" 
enctype="multipart/form-data" style="height: 100%;"> 

The space in the HTML code between iframe and src is generated because of 
the complete tag injected previously. 

:: VENDOR RESPONSE 

The vendor security bulletin link is: 

http://dotnetnuke.com/About/WhatIsDotNetNuke/SecurityPolicy/SecurityBulletin 
no3/tabid/990/Default.aspx 

The patches are available here: 

http://www.dotnetnuke.com/tabid/125/default.aspx - registration needed in 
order to download them 

:: DISCLOSURE TIMEFRAME 

04/09/2006 - Preliminary Vendor notification. 

06/09/2006 - Vulnerability confirmed in all versions 

17/06/2006 - DotNetNuke releases version 3.3.5 and 4.3.5 with fix 

20/09/2006 - Coordinated public release. 

Total Time to Fix: 13 days 

:: CREDIT 

The vulnerability was discovered by Roberto Suggi Liverani and Antonio Spera 
of Secure Shapes. 

~~~~~~~~~~~~~~~~~~~ 

About Secure Shapes 

~~~~~~~~~~~~~~~~~~~ 

Secure Shapes Ltd  provides vulnerability assessments , website penetration 
testing , network penetration testing  and security consultancy. 

E-mail: contact [at] secureshapes.com