AjaxControlToolkit File Upload Directory Traversal

Published
Credit
Risk
2015.07.15
Brian Cardinale
High
CWE
CVE
Local
Remote
CWE-22
CWE-264
N/A
No
Yes

The AjaxControlToolkit prior to version 15.1 has a file upload directory
traversal vulnerability which on a poorly configured web server can lead to
remote code execution.

The issue affects any application using the AjaxFileUpload control. The
vulnerability arises because the =E2=80=9CfileId=E2=80=9D is not validated =
and can be
altered by the user to contain directory traversal characters (\..\..\..\)
allowing an attacker to write the uploaded file to any location on the file
system that the web server=E2=80=99s file permissions allow.

The "fileid" parameter is passed when uploading files. Intercepting the
request and modifying the value of "fileid" to a directory path will result
in the file being uploaded to be placed in the location on the remote
server as long as file system permissions allow. If an attacker is capable
of writing an arbitrary file to the server's web directory then remote code
execution is possible. A demonstration of this is written here:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=>
e-code-execution-in-ajaxcontroltoolkit/

This issue has been reported to the vendor and an updated version of the
library has been made available.

CVE Number: CVE-2015-4670

Discovered by: Brian Cardinale

Write Up:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=>
e-code-execution-in-ajaxcontroltoolkit/

Sample Vuln App: https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr= <https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr=>
c
Affected Versions:

* 7.1213.0
* 7.1005.0
* 7.1002.0
* 7.930.0
* 7.725.0
* 7.607.0
* 7.429.0

References:

http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remote-code-execution-in-ajaxcontroltoolkit/


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com