what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AjaxControlToolkit File Upload Directory Traversal

AjaxControlToolkit File Upload Directory Traversal
Posted Jul 14, 2015
Authored by Brian Cardinale

The AjaxControlToolkit prior to version 15.1 has a file upload directory traversal vulnerability which on a poorly configured web server can lead to remote code execution.

tags | advisory, remote, web, code execution, file upload
advisories | CVE-2015-4670
SHA-256 | 3ecb8a9a5021d70b1e7c79052e7ca74b09b23fe34ddae56eae4bc7ed860ab73e

AjaxControlToolkit File Upload Directory Traversal

Change Mirror Download
The AjaxControlToolkit prior to version 15.1 has a file upload directory
traversal vulnerability which on a poorly configured web server can lead to
remote code execution.

The issue affects any application using the AjaxFileUpload control. The
vulnerability arises because the =E2=80=9CfileId=E2=80=9D is not validated =
and can be
altered by the user to contain directory traversal characters (\..\..\..\)
allowing an attacker to write the uploaded file to any location on the file
system that the web server=E2=80=99s file permissions allow.

The "fileid" parameter is passed when uploading files. Intercepting the
request and modifying the value of "fileid" to a directory path will result
in the file being uploaded to be placed in the location on the remote
server as long as file system permissions allow. If an attacker is capable
of writing an arbitrary file to the server's web directory then remote code
execution is possible. A demonstration of this is written here:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=>
e-code-execution-in-ajaxcontroltoolkit/

This issue has been reported to the vendor and an updated version of the
library has been made available.

CVE Number: CVE-2015-4670

Discovered by: Brian Cardinale

Write Up:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=>
e-code-execution-in-ajaxcontroltoolkit/

Sample Vuln App: https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr= <https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr=>
c
Affected Versions:

* 7.1213.0
* 7.1005.0
* 7.1002.0
* 7.930.0
* 7.725.0
* 7.607.0
* 7.429.0
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close