DotNetNuke up to 7.4.0 Installation Wizard InstallWizard.aspx access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.2 | $0-$5k | 0.00 |
Summary
A vulnerability was found in DotNetNuke up to 7.4.0. It has been declared as critical. This vulnerability affects unknown code of the file Install/InstallWizard.aspx of the component Installation Wizard. Executing a manipulation can lead to access control. This vulnerability is registered as CVE-2015-2794. It is possible to launch the attack remotely. Furthermore, an exploit is available. It is recommended to upgrade the affected component.
Details
A vulnerability was found in DotNetNuke up to 7.4.0 (Content Management System). It has been declared as critical. This vulnerability affects some unknown processing of the file Install/InstallWizard.aspx of the component Installation Wizard. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-264. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
The bug was discovered 05/06/2016. The weakness was published 02/06/2017 by Marios Nicolaides as EDB-ID 39777 as confirmed exploit (Exploit-DB). The advisory is available at exploit-db.com. This vulnerability was named CVE-2015-2794 since 03/30/2015. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details and also a public exploit are known. This vulnerability is assigned to T1068 by the MITRE ATT&CK project.
A public exploit has been developed by Marios Nicolaides and been published even before and not after the advisory. It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept. By approaching the search of inurl:Install/InstallWizard.aspx it is possible to find vulnerable targets with Google Hacking. The vulnerability scanner Nessus provides a plugin with the ID 100934 (DNN (DotNetNuke) < 7.4.1 Administration Authentication Bypass Vulnerability), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CGI abuses and running in the context r. The commercial vulnerability scanner Qualys is able to test this issue with plugin 11752 (DotNetNuke Administration Authentication Bypass Vulnerability).
Upgrading to version 7.4.1 eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 41713.
The vulnerability is also documented in the databases at Exploit-DB (39777), Tenable (100934) and SecurityFocus (BID 96373†). Once again VulDB remains the best source for vulnerability data.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.5VulDB Meta Temp Score: 8.2
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Marios Nicolaides
Download: 🔍
Google Hack: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 100934
Nessus Name: DNN (DotNetNuke) < 7.4.1 Administration Authentication Bypass Vulnerability
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: DotNetNuke 7.4.1
Snort ID: 41713
Snort Message: SERVER-WEBAPP DotNetNuke installation attempt detected
Snort Class: 🔍
Timeline
03/30/2015 🔍05/26/2015 🔍
05/06/2016 🔍
05/06/2016 🔍
05/06/2016 🔍
02/06/2017 🔍
02/06/2017 🔍
02/06/2017 🔍
02/06/2017 🔍
06/20/2017 🔍
11/27/2024 🔍
Sources
Advisory: EDB-ID 39777Researcher: Marios Nicolaides
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2015-2794 (🔍)
GCVE (CVE): GCVE-0-2015-2794
GCVE (VulDB): GCVE-100-96550
SecurityFocus: 96373 - DotNetNuke CVE-2015-2794 Authentication Bypass Vulnerability
OSVDB: - CVE-2015-2794 - DotNetNuke - Authentication Bypass Issue
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 02/06/2017 19:24Updated: 11/27/2024 07:47
Changes: 02/06/2017 19:24 (79), 08/11/2020 09:13 (7), 06/24/2024 16:37 (17), 11/27/2024 07:47 (2)
Complete: 🔍
Cache ID: 216:FB5:103
No comments yet. Languages: en.
Please log in to comment.