Text :  

'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/

'''

Abysssec Inc Public Advisory


Title : IfNuke Multiple Remote Vulnerabilities
Affected Version : IfNuke 4.0.0
Discovery : www.abysssec.com
Vendor : http://www.ifsoft.net/default.aspx

Demo : http://www.ifsoft.net/default.aspx?portalName=demo
Download Links : http://ifnuke.codeplex.com/


Admin Page : http://Example.com/Login.aspx?PortalName=_default


Description :
===========================================================================
================
This version of IfNuke have Multiple Valnerabilities :

1- arbitrary Upload file
2- Persistent XSS



arbitrary Upload file
===========================================================================
================

using this vulnerability you can upload any file with this two ways:

1- http://Example.com/Modules/PreDefinition/PhotoUpload.aspx?AlbumId=1
(the value of AlbumId is necessary)

your files will be in this path:
http://Example.com/Users/Albums/

with this format (for example):
Shell.aspx ---> img_634150553723437500.aspx

That 634150553723437500 value is DateTime.Now.Ticks.ToString() and will be
built in this file :

http://Example.com/Modules/PreDefinition/PhotoUpload.ascx.cs

Ln 102 : fileName = "img_" +
DateTime.Now.Ticks.ToString() + "." +
GetFileExt(userPostedFile.FileName);



it's possible to do same thing here :

2- http://Example.com/modules/PreDefinition/VideoUpload.aspx

and the same vulnerable code is located here :

http://Example.com/Modules/PreDefinition/VideoUpload.ascx.cs

Ln 39 : string createdTime =
DateTime.Now.ToString("yyyyMMddHHmmssffff");
string newFileNameWithoutExtension =
Path.GetFileNameWithoutExtension(fileName) + "_" + createdTime;
string uploadFilePath =
Server.MapPath(VideoHelper.GetVideoUploadDirectory(CurrentUser.Name) +
newFileNameWithoutExtension + Path.GetExtension(fileName));


Persistent XSS Vulnerabilities:
===========================================================================
================

In these Modules you can find Persistent XSS that data saves with no
sanitization:

1- Module name : Article
Fields : Title , Description
Valnerable Code: ...\Modules\PreDefinition\Article.ascx.cs
ln 106:
if (S_Title.Text.Trim() != string.Empty)
{
parameters.Add("@Title", S_Title.Text.Trim());
parameters.Add("@Description",
S_Title.Text.Trim());
parameters.Add("@Tags", S_Title.Text.Trim());
}


---------------------------------------------------------------------------
-----------

2- Module name : ArticleCategory
Field : Name
Valnerable Code: ...\Modules\PreDefinition\ArticleCategory.ascx.cs
ln 96:
entity.Name =
((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtCategory
Name_E")).Text.Trim();


---------------------------------------------------------------------------
-----------

3- Module name : HtmlText
Field : Text
Valnerable Code: ...\Modules\PreDefinition\HtmlText.ascx.cs
ln 66:
entity.Content =
txtContent.Value.Trim().Replace("//",string.Empty);


---------------------------------------------------------------------------
-----------

4- Module name : LeaveMessage
Fields : NickName , Content
Valnerable Code: ...\Modules\PreDefinition\LeaveMessage.ascx.cs
ln 55:
entity.NickName = txtNickName.Text.Trim();
entity.Content = txtContent.Text.Trim();


---------------------------------------------------------------------------
-----------

5- Module name : Link
Field : Title
Valnerable Code: ...\Modules\PreDefinition\Link.ascx.cs
ln 83:
entity.Title =
((TextBox)lstSearch.Rows[lstSearch.EditIndex].FindControl("txtTitle_E&
quot;)).Text.Trim();


---------------------------------------------------------------------------
-----------

6- Module name : Photo
Field : Title
Valnerable Code: ...\Modules\PreDefinition\Photo.ascx.cs
ln 280:
entity.Title = txtTitle_E.Text.Trim();


===========================================================================
================

  References :  

None