''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ ''' Abysssec Inc Public Advisory Title : IfNuke Multiple Remote Vulnerabilities Affected Version : IfNuke 4.0.0 Discovery : www.abysssec.com Vendor : http://www.ifsoft.net/default.aspx Demo : http://www.ifsoft.net/default.aspx?portalName=demo Download Links : http://ifnuke.codeplex.com/ Admin Page : http://Example.com/Login.aspx?PortalName=_default Description : =========================================================================================== This version of IfNuke have Multiple Valnerabilities : 1- arbitrary Upload file 2- Persistent XSS arbitrary Upload file =========================================================================================== using this vulnerability you can upload any file with this two ways: 1- http://Example.com/Modules/PreDefinition/PhotoUpload.aspx?AlbumId=1 (the value of AlbumId is necessary) your files will be in this path: http://Example.com/Users/Albums/ with this format (for example): Shell.aspx ---> img_634150553723437500.aspx That 634150553723437500 value is DateTime.Now.Ticks.ToString() and will be built in this file : http://Example.com/Modules/PreDefinition/PhotoUpload.ascx.cs Ln 102 : fileName = "img_" + DateTime.Now.Ticks.ToString() + "." + GetFileExt(userPostedFile.FileName); it's possible to do same thing here : 2- http://Example.com/modules/PreDefinition/VideoUpload.aspx and the same vulnerable code is located here : http://Example.com/Modules/PreDefinition/VideoUpload.ascx.cs Ln 39 : string createdTime = DateTime.Now.ToString("yyyyMMddHHmmssffff"); string newFileNameWithoutExtension = Path.GetFileNameWithoutExtension(fileName) + "_" + createdTime; string uploadFilePath = Server.MapPath(VideoHelper.GetVideoUploadDirectory(CurrentUser.Name) + newFileNameWithoutExtension + Path.GetExtension(fileName)); Persistent XSS Vulnerabilities: =========================================================================================== In these Modules you can find Persistent XSS that data saves with no sanitization: 1- Module name : Article Fields : Title , Description Valnerable Code: ...\Modules\PreDefinition\Article.ascx.cs ln 106: if (S_Title.Text.Trim() != string.Empty) { parameters.Add("@Title", S_Title.Text.Trim()); parameters.Add("@Description", S_Title.Text.Trim()); parameters.Add("@Tags", S_Title.Text.Trim()); } -------------------------------------------------------------------------------------- 2- Module name : ArticleCategory Field : Name Valnerable Code: ...\Modules\PreDefinition\ArticleCategory.ascx.cs ln 96: entity.Name = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtCategoryName_E")).Text.Trim(); -------------------------------------------------------------------------------------- 3- Module name : HtmlText Field : Text Valnerable Code: ...\Modules\PreDefinition\HtmlText.ascx.cs ln 66: entity.Content = txtContent.Value.Trim().Replace("//",string.Empty); -------------------------------------------------------------------------------------- 4- Module name : LeaveMessage Fields : NickName , Content Valnerable Code: ...\Modules\PreDefinition\LeaveMessage.ascx.cs ln 55: entity.NickName = txtNickName.Text.Trim(); entity.Content = txtContent.Text.Trim(); -------------------------------------------------------------------------------------- 5- Module name : Link Field : Title Valnerable Code: ...\Modules\PreDefinition\Link.ascx.cs ln 83: entity.Title = ((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtTitle_E")).Text.Trim(); -------------------------------------------------------------------------------------- 6- Module name : Photo Field : Title Valnerable Code: ...\Modules\PreDefinition\Photo.ascx.cs ln 280: entity.Title = txtTitle_E.Text.Trim(); ===========================================================================================