DNN DotNetNuke Server-Side Request Forgery Vulnerability Bypass Allowing Unauthenticated GET Request Execution

A bypass for the previously known vulnerability CVE-2017-0929 has been identified in DNN (DotNetNuke) versions prior to 9.13.8. This vulnerability allows unauthenticated attackers to execute arbitrary GET requests on target systems, including those on internal or adjacent networks. The issue facilitates a semi-blind Server-Side Request Forgery (SSRF) attack, enabling attackers to have the target server send requests to internal or external URLs while not being able to view the full responses. Potential impacts include reconnaissance of internal networks and bypassing firewall protections.

Impact

Exploitation of this vulnerability allows for a semi-blind SSRF attack, where the target server can be made to send requests to internal or external URLs, potentially leading to unauthorized access to internal services or data. The vulnerability could also be used to bypass firewalls, allowing for further exploitation of the network.

Reproduction

The vulnerability can be reproduced by sending a GET request to the DNN image handler service with a URL parameter that points to an internal or external resource. The request will be processed without proper validation, allowing access to the specified URL. This can be automated with a script or tool that sends repeated requests, such as with a burp suite extension or a custom script.

Remediation

Users can upgrade to DNN version 9.13.8 or later to address this vulnerability.