exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

AjaxControlToolkit File Upload Directory Traversal

AjaxControlToolkit File Upload Directory Traversal
Posted Jul 14, 2015
Authored by Brian Cardinale

The AjaxControlToolkit prior to version 15.1 has a file upload directory traversal vulnerability which on a poorly configured web server can lead to remote code execution.

tags | advisory, remote, web, code execution, file upload
advisories | CVE-2015-4670
SHA-256 | 3ecb8a9a5021d70b1e7c79052e7ca74b09b23fe34ddae56eae4bc7ed860ab73e

AjaxControlToolkit File Upload Directory Traversal

Change Mirror Download
The AjaxControlToolkit prior to version 15.1 has a file upload directory
traversal vulnerability which on a poorly configured web server can lead to
remote code execution.

The issue affects any application using the AjaxFileUpload control. The
vulnerability arises because the =E2=80=9CfileId=E2=80=9D is not validated =
and can be
altered by the user to contain directory traversal characters (\..\..\..\)
allowing an attacker to write the uploaded file to any location on the file
system that the web server=E2=80=99s file permissions allow.

The "fileid" parameter is passed when uploading files. Intercepting the
request and modifying the value of "fileid" to a directory path will result
in the file being uploaded to be placed in the location on the remote
server as long as file system permissions allow. If an attacker is capable
of writing an arbitrary file to the server's web directory then remote code
execution is possible. A demonstration of this is written here:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=>
e-code-execution-in-ajaxcontroltoolkit/

This issue has been reported to the vendor and an updated version of the
library has been made available.

CVE Number: CVE-2015-4670

Discovered by: Brian Cardinale

Write Up:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=>
e-code-execution-in-ajaxcontroltoolkit/

Sample Vuln App: https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr= <https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr=>
c
Affected Versions:

* 7.1213.0
* 7.1005.0
* 7.1002.0
* 7.930.0
* 7.725.0
* 7.607.0
* 7.429.0
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close