DotNetNuke User-Agent String Application Logs HTML Injection Vulnerability
BID:13646
Info
DotNetNuke User-Agent String Application Logs HTML Injection Vulnerability
| Bugtraq ID: | 13646 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-0040 |
| Remote: | Yes |
| Local: | No |
| Published: | May 16 2005 12:00AM |
| Updated: | Jul 12 2009 02:56PM |
| Credit: | "Mark Woan" <[email protected]> is credited with the discovery of this vulnerability. |
| Vulnerable: |
DotNetNuke DotNetNuke 3.0.8 DotNetNuke DotNetNuke 3.0.7 DotNetNuke DotNetNuke 2.1.2 DotNetNuke DotNetNuke 2.1.1 DotNetNuke DotNetNuke 1.0.10 e DotNetNuke DotNetNuke 1.0.10 d DotNetNuke DotNetNuke 1.0.9 DotNetNuke DotNetNuke 1.0.8 DotNetNuke DotNetNuke 1.0.7 DotNetNuke DotNetNuke 1.0.6 |
| Not Vulnerable: |
DotNetNuke DotNetNuke 3.1 .0 |
Discussion
DotNetNuke User-Agent String Application Logs HTML Injection Vulnerability
DotNetNuke is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. Specifically user-supplied input supplied as a User-Agent string value is not sanitized, allowing script or HTML code to be included in application log files.
DotNetNuke is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. Specifically user-supplied input supplied as a User-Agent string value is not sanitized, allowing script or HTML code to be included in application log files.
Exploit / POC
DotNetNuke User-Agent String Application Logs HTML Injection Vulnerability
No exploit is required.
No exploit is required.
Solution / Fix
DotNetNuke User-Agent String Application Logs HTML Injection Vulnerability
Solution:
Reports indicate that a fix is available to address this vulnerability. Symantec has not confirmed this. Please contact the vendor for further information in regards to obtaining and applying a fix.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Reports indicate that a fix is available to address this vulnerability. Symantec has not confirmed this. Please contact the vendor for further information in regards to obtaining and applying a fix.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
DotNetNuke User-Agent String Application Logs HTML Injection Vulnerability
References:
References:
- DotNetNuke Homepage (DotNetNuke)