DotNetNuke CMS version 9.4.4 suffers from zip split issue where a directory traversal attack can be performed to overwrite files or execute malicious code.
7013e35effc30e3d3fbd7561c9b05233
# Exploit Title: Zip Slip vulnerability
# Date: 23 Feb 2020
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.4.4/DNN_Platform_9.4.4_Install.zip
# Version: => 9.4.4
# CVE : CVE-2020-5187
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175
In a nutshell, Zip Slip is a kind of “directory traversal” attack, which exploits lack of directory names check while extracting archives. Using this vulnerability attacker may overwrite files with specific extensions on the system and may execute malicious code.
The zip file extraction function of DNN file upload feature is vulnerable to zip split until 9.5 version (9.5 is not vulnerable).
An attacker could replace any files with following extension on system -
“jpg, jpeg, jpe, gif, bmp, png, svg, ttf, eot, woff, doc, docx, xls, xlsx, ppt, pptx, pdf, txt, xml, xsl, xsd, css, zip, rar, template, htmtemplate, ico, avi, mpg, mpeg, mp3, wmv, mov, wav, mp4, webm, ogv”
Ideally, only high privileged user is allowed to upload zip files, but using Vulnerability CVE-2020-5188 — extension bypass(CVE-2020-5188), a normal user can exploit this vulnerability. For example, a normal privileged user can replace CSS files on web application and perform defacement of the website.