Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
News › Security Policy › Security Bulletin no.17 Register  |  

AspDotNetStoreFront
Failure to revalidate file and folder permissions correctly for uploads

Published: May 27, 2008

Version: 1.0

Maximum Severity Rating: Critical

Background

DotNetNuke uses rich text editor controls in a variety of modules. The application uses a provider model to allow this functionality to be easily replaced with controls of the users choice, including default support for the popular FTB and FCK editor controls. These rich text editor controls typically leverage the DotNetNuke URLControl to provide a convenient method for selecting URLs, pages, and files for the portal. In the files area, there is also the ability to upload files from your client machine. Once selected, the file(s) are passed to the DotNetNuke API which handles the saving of the file, including services such as the ability to store in secure filesystem or secure database.

Issue Summary


The logic for both the UrlControl and the FileSystem API was missing some key security validation. It assumed that any input passed from a rich text editor control was valid, and did not revalidate the folder permissions. In addition, it had flawed logic which allowed a user to WRITE files to Folders for which they only had READ access. A hacker could use these two flaws in combination to upload files to folders for which they should have been restricted. Since by default in most DotNetNuke portals, Anonymous Users have READ access to all folders beneath the "Portals" home directory, the incorrect logic flaw allowed a user to upload a file to any folder under this directory. Files which were typically deposited as part of this security exploit were named ISCN.txt and simply contained notice of credit for the attack.

Mitigating factors

The FileSystem API performs a verification check for "safe" file extensions. By default the list of "safe" file extensions ( defined in Host Settings ) is quite small, meaning that only files such as text files, jpgs and gif's can be uploaded, and not more dangerous files with dynamic extensions such as aspx/asp etc.

Note: whilst the payload of this attack is limited by the check for extension, as it can be remotely exploited for anoymous users, it was decided to elevate this issue's rating to "Critical".

Affected DotNetNuke versions

3.0 - 4.8.2 inclusive.


Non-Affected Versions:

All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.8.3 at time of writing)

Acknowledgments

Tomotoshi Sugishita ( DotNetNuke Japan User Group )
Mitchell Sellers

Security Policy


Click here to read more details on the DotNetNuke Security Policy
 


$7.16/mo - Powerful DotNetNuke Hosting
Powerful DotNetNuke Hosting starting at under $8/mo with FREE SQL 2005, FREE Installation and expert support.
www.re-invent.com 		ASP.NET Web Hosting for $3.95
3 Month FREE ASP.NET Hosting! FREE Setup! DNN Support! FREE Domain Name! FREE Components! Host multiple websites on 1 plan! 30 Days Money Back Guarantee!
www.dailyrazor.com 		Cestus Websites
DotNetNuke websites en services in Nederland. Cestus Websites levert websites, projectmanagent, skins, modules, training en gespecialiseerde hosting op basis van het CMS DotNetNuke.
www.dotnetnuke-websites.nl

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP