DNN, the leading open-source content management platform (CMS) in the Microsoft ecosystem, has patched a stored cross-site scripting (XSS) vulnerability. It enables hackers to upload malicious SVG files and achieve remote code execution.

Researchers at Pentest-Tools.com disclosed a severe vulnerability affecting DNN, formerly known as DotNetNuke.

This platform has been downloaded more than 8 million times and powers over 750,000 websites globally. Moreover, around 1,300-1,645 instances have their DNN admin interface or identifiable fingerprint exposed on the public internet, as detected by Shodan and Censys scans.

While DNN is not a household name like WordPress or Shopify, it is a popular CMS for running on Windows/IIS servers.

All it takes to compromise a website is an upload of a malicious SVG (Scalable Vector Graphics) file.

“A user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user,” the advisory reads on GitHub.

The researchers at Pentest-Tools.com, who disclosed the bug, warn that the stored XSS vulnerability can be exploited by attackers to achieve remote code execution.

“When a privileged user views the file, the embedded JavaScript chains with a legitimate DNN admin endpoint to write an ASPX backdoor to the web root, handing the attacker remote code execution as the IIS application pool service account. The payload can be delivered entirely through DNN’s own internal messaging system; no external phishing infrastructure is required,” the researchers said.

How does it work?

The malicious SVG file can be relatively simple. However, the attackers need to upload it to the targeted server somehow. Any user account could do the job.

“All you need is an ‘a’ tag with an ‘href’ attribute containing a URL that uses the ‘javascript’ protocol,” the researchers said.

The javascript payload bypasses XSS filters. The simple demonstration triggers an alert on click for any authenticated or unauthenticated user who can access the file. However, the researchers went further to achieve RCE.

They crafted the SVG to contain a malicious script that calls the specific endpoint when triggered. The attacker would need to trick the site admin into clicking this malicious file, which would then drop a backdoor on the server. All the admin would see is an innocent-looking image file.

The malicious SVG does not attempt to steal any passwords or tokens. Instead, it uses the existing admin’s logged-in session to make API calls to a specific endpoint, writing a malicious file to the server – a tiny ASPX web shell the attackers can now exploit to run commands via URL.

This access can then further be exploited to elevate privileges to SYSTEM on the affected Windows system.

“Administrators should patch immediately and audit user upload directories for unexpected SVG files and the web root for unrecognized ASPX files,” the researchers warned.

---

Unlock more exclusive Cybernews content on YouTube.