AjaxControlToolkit File Upload Directory Traversal

Risk: High
Local: No
Remote: Yes

The AjaxControlToolkit prior to version 15.1 has a file upload directory traversal vulnerability which on a poorly configured web server can lead to remote code execution. The issue affects any application using the AjaxFileUpload control. The vulnerability arises because the =E2=80=9CfileId=E2=80=9D is not validated = and can be altered by the user to contain directory traversal characters (\..\..\..\) allowing an attacker to write the uploaded file to any location on the file system that the web server=E2=80=99s file permissions allow. The "fileid" parameter is passed when uploading files. Intercepting the request and modifying the value of "fileid" to a directory path will result in the file being uploaded to be placed in the location on the remote server as long as file system permissions allow. If an attacker is capable of writing an arbitrary file to the server's web directory then remote code execution is possible. A demonstration of this is written here: http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=> e-code-execution-in-ajaxcontroltoolkit/ This issue has been reported to the vendor and an updated version of the library has been made available. CVE Number: CVE-2015-4670 Discovered by: Brian Cardinale Write Up: http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=> e-code-execution-in-ajaxcontroltoolkit/ Sample Vuln App: https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr= <https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr=> c Affected Versions: * 7.1213.0 * 7.1005.0 * 7.1002.0 * 7.930.0 * 7.725.0 * 7.607.0 * 7.429.0



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com


Back to Top