How was identified CVE-2019-19392

During an authorized security test against a company it was found with Uniscan tool that existed on the company’s website, with the DNN (formerly DotNetNuke), a page that allowed to make uploads of files. Upon checking this page it was noticed that the module “forDNN.UsersExportImportmodule” was publicly displayed.

This is already a security issue since this page should not be publicly exposed as it allowed to export (with private user data) and import of users on the site. However, the identified issue became more serious since it allowed to import new users with Administration privileges leading to escalation of privileges. With this vulnerability any person can create a privileged user and then take over the vulnerable website.

This vulnerability was reported to “forDNN Team” and they already fixed this vulnerability. Plus, this vulnerability was also reported to MITRE, and they assigned a CVE with the following identification: CVE-2019-19392.

Description

All versions of the module “forDNN.UsersExportImport” for DNN lower then 1.2.0 allow an unprivileged user to import (create) new users with Administrator privileges.

Vulnerability Type
Insecure Permissions

Affected Versions
All versions of module lower than 1.2.0 are affected, so it is necessary to upgrade to 1.2.0 to fix this issue

Attack Vectors
To create an Administrator user (as demonstrated by Roles=”Administrators”), an attacker can import a XML/CSV file with a content such as:

<users><user ... Authorised="True" IsDeleted="False" RoleIDs="1,2,0," Roles="Registered Users,Subscribers,Administrators,"  ...   /></users>

The attacker (unprivileged user) will create an Administrator user and therefore will be able to access the administration panel of the website.

PS: Even if the attacker doesn’t know the assigned password he is able to reset the password (in the login page of the website).

João Orvalho
João Orvalho received his B.Sc in Computer Science and M.Sc. in Computer Security Engineering at Polytechnic Institute of Beja in Portugal, where he also taught. His interests include most aspects of cyber security, with an emphasis on network security, intrusion detection and prevention, cyber risk assessments and penetration testing.