Laatste nieuws
DotNetNuke Remote Code Execution kwetsbaarheid ontdekt door Fox-IT
Op 23 November 2010 heeft Fox-IT een serieuze kwetsbaarheid ontdekt in het open source content management systeem DotNetNuke. De kwetsbaarheid leidt tot volledige toegang tot de DotNetNuke omgeving. De fabrikant is op de hoogte gesteld en een oplossing is beschikbaar. De details zijn in het Engels:
Details
CVE reference: -
Vulnerability discovered: November 23, 2010
Discovered by: Daniël Niggebrugge, Fox-IT BV (https://www.fox-it.com/)
Reported to vendor: November 30, 2010
Fix available: Yes
Product DotNetNuke is an open source Content Management System (CMS) based on Microsoft ASP.NET. DotNetNuke powers over 600,000 production web sites worldwide. More information can be found at: http://www.dotnetnuke.com/Intro/AtAGlance/tabid/1579/Default.aspx
Vulnerability An anonymous attacker can upload ASPX files, access these files and is then able to execute arbitrary commands on the web server. This leads to full compromise of the DotNetNuke environment and possibly compromise of other web applications and/or information on the web server.
Fox-IT verified DotNetNuke version 05.06.00 (459) to be vulnerable to this issue.
Fix This issue has been fixed in DotNetNuke version 05.06.01. Fox-IT advises to test and deploy this new version as soon as possible.
Details The vulnerability is caused by several web pages of DotNetNuke that insufficiently enforce authorization checks. Depending on the function of the vulnerable web page, several issues might arise. The most severe issue makes it possible to upload executable files without proper authorizations and execute arbitrary commands on the web server.
References DotNetNuke security bulletin:
http://www.dotnetnuke.com/securitybulletinno46/tabid/2113/Default.aspx
You can download the advisory in PDF form here: Advisory_Remote_Code_Execution_DotNetNuke_public.pdf
