=========================================================== [+] Douran Portal <= V3.9.7.55 Multiple Remote Vulnerabilities =========================================================== [+] Author : ItSecTeam [+] Contact : Bug@itsecteam.com [+] Site : www.itsecteam.com [+] Forum : http://forum.itsecteam.com/ [+] Thanks : Amin Shokohi (Pejvak!) , homay ~~~~~~~~~~~~~~~~[Information]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Web App : Douran Portal [+] Version : Worked In Last Version (V3.9.7.55) And Prior [+] Software: http://www.douran.com [+][+][+][+][+][+][+](Vulnerabilities)[+][+][+][+][=][+][+] [1] Xss None Present : [~] Poc : Douran.dll:DouranPortal.DesktopModules.OrderForm private void Page_Load(object sender, EventArgs e) { this.lblTitle.Text = Localize.GetString("ORDER_FOR", "Order form for") + " " + base.Request.QueryString["ItemTitle"]; } Print Request.QueryString["ItemTitle"] Without Check [~] Secure : private void Page_Load(object sender, EventArgs e) { this.lblTitle.Text = Localize.GetString("ORDER_FOR", "Order form for") + " " + CheckString(base.Request.QueryString["ItemTitle"]); } [-] End Poc [#] Exploit : http://Site.Com/DesktopModules/Gallery/OrderForm.aspx?itemtitle= [*] Demo : http://isaar.ir/DesktopModules/Gallery/OrderForm.aspx?itemtitle= [2] Remote File Upload : [Note] : Worked In Older 3.8.2.2 [~] Poc : You Can Upload Your File Without Check Authorization You Can Upload : string acceptedFiles = ";.jpg;.jpeg;.jpe;.gif;.bmp;.png;.swf;.avi;.ra;.mov;.mpeg;.mpg;.wav;"; You Can Bypass [-] End Poc [#] Exploit :http://Site.Com/DesktopModules/ftb/ftb.imagegallery.aspx[*] Demo :http://www.isbn.ir/DesktopModules/ftb/ftb.imagegallery.aspx [3] Information Leakage Show Device Info : http://Site.Com/security/DeviceInfo.aspx [4] Xss Present : http://Site.Com/security/DeviceInfo.aspx [~] Poc : Douran.dll:DouranPortal.DesktopModules.BlogDB Submit Data Without Check{ blogDB.AddBlogComment(ModuleID, ItemID, this.txtName.Text,this.txtTitle.Text, this.txtURL.Text, this.txtComments.Text); } public void AddBlogComment(int moduleID, int itemID, string name, string title, string url, string comment) { if (name.Length < 1) { name = "unknown"; } if (title.Length > 100) { title = title.Substring(0, 100); } if (name.Length > 100) { name = name.Substring(0, 100); } if (url.Length > 200) { url = url.Substring(0, 200); } SqlConnection sqlConnectionString = PortalSettings.SqlConnectionString; SqlCommand command = new SqlCommand("dp_BlogCommentAdd", sqlConnectionString); command.CommandType = CommandType.StoredProcedure; SqlParameter parameter = new SqlParameter("@ModuleID", SqlDbType.Int, 4); parameter.Value = moduleID; command.Parameters.Add(parameter); SqlParameter parameter2 = new SqlParameter("@ItemID", SqlDbType.Int, 4); parameter2.Value = itemID; command.Parameters.Add(parameter2); SqlParameter parameter3 = new SqlParameter("@Name", SqlDbType.NVarChar, 100); parameter3.Value = name; command.Parameters.Add(parameter3); SqlParameter parameter4 = new SqlParameter("@Title", SqlDbType.NVarChar, 100); parameter4.Value = title; command.Parameters.Add(parameter4); SqlParameter parameter5 = new SqlParameter("@URL", SqlDbType.NVarChar, 200); parameter5.Value = url; command.Parameters.Add(parameter5); SqlParameter parameter6 = new SqlParameter("@Comment", SqlDbType.NText); parameter6.Value = comment; command.Parameters.Add(parameter6); sqlConnectionString.Open(); command.ExecuteNonQuery(); sqlConnectionString.Close();} [-] End Poc [#] Exploit :http://Site.Com/DesktopModules/Blog/BlogView.aspx [-][-][-][-][-][-][-](Vulnerabilities)[-][-][-][-][-][-][-] ~~~~~~~~~~~~~~~~[Vulnerabilities]~~~~~~~~~~~~~~~~~~~~~~~~~~~~