DotNetNuke is vulnerable to an Cross-Site Request Forgery (CSRF) attack. As the ".DOTNETNUKE" cookie does not expire

Vulnerability found:
03 May 2013


Vendor informed:
17 May 2013


Severity level:
Medium

Credits:
Amir Azam of ProCheckUp Ltd (www.procheckup.com)

Description:
When a user logged out of the application, the user session is not invalidated at server-side as application only deletes the cookie. Provided that an attacker can capture a victim’s cookie (".DOTNETNUKE"), they could make request to application to perform unauthorised administrative actions because important requests are not tokenised which is known as CSRF attacks.

Successfully tested on:
Affected DNN Enterprise version: 07.00.05

Notes:
Vendor see this as a false positive vulnerability since this reflect the cookie being captured before it has been deleted by a user logging out of the application. As the “asp.net” forms authentication cookies contain the details of the expiry (with a valid expiry date in the future) within them, users logging out simply deletes the cookie, and an attacker might be able to move it in order to avoid the deletion or simply sniff the details. When the same request is replayed in the forms with authentication cookie, the application accepts it as it is the behavior of the DNN application by design. Vendor has agreed that they will consider tokenization the sensitive request in a future versions of DNN.

Proof of concept:
ProCheckUp was able to use an old ‘.DOTNETNUKE’ cookie to request the server to perform
unauthorised actions e.g. add user account, delete user account, change contents of page etc. See following example, which shows how an attacker could easily be able to add a user account to the application.

Step1: Login to application as admin user
step2: Capture a request where you could add a user to application
Step3: Delete that user and check user list to ensure that test user has been deleted successfully
Step4: Logout of the application
Step5: Replay step2 request and you will see error in your browser
Step6: Login to application to check list of users, and you will see that same user from the captured request has been added to application

Or

Replay following request which will create an account with these details:

Username: pcutest1
Password: password

How to fix:
Update DNN to 7.1.1 or apply a unique value to important requests which make them non-predictable. This is typically done using tokenization. For further information please refer to:
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Cookies should expire on the server-side when logging out. Implement an idle session timeout period, so that sessions are expired automatically after some minutes of inactivity.

Legal:
Copyright 2013 ProCheckUp Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to ProCheckUp, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party.