Info

Disclosure

Jan 19, 2011

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Jan 19, 2011

Description

DotNetNuke contains a flaw related to a failure to sufficiently enforce authorization checks. This may allow a remote attacker to upload an ASPX file and use it to execute arbitrary code.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure

Solution

Upgrade to version 5.6.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

DotNetNuke Corporation	DotNetNuke	5.0.x
		6.1.x
		5.2.x
		5.3.x
		5.4.x
		5.5.x
		5.6.0

References

Mail List Post: http://seclists.org/bugtraq/2011/Jan/118
Vendor URL: http://www.dotnetnuke.com/Intro/AtAGlance/tabid/1579/Default.aspx
Vendor Specific Advisory URL: http://www.dotnetnuke.com/securitybulletinno46/tabid/2113/Default.aspx
Other Advisory URL: https://www.fox-it.com/en/news-and-events/news/recent-news/news-article/dotnetnuke-remote-code-execution-vulnerability-discovered-by-fox-it/174

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/72230

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

DotNetNuke Corporation

DotNetNuke

References

Credit