exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

RADactive I-Load XSS / Disclosure / Upload

RADactive I-Load XSS / Disclosure / Upload
Posted Sep 19, 2009
Authored by Stefan Streichsbier | Site sec-consult.com

RADactive I-Load version 2008.2.4.0 suffers from cross site scripting, file disclosure, and file upload vulnerabilities.

tags | advisory, vulnerability, xss, file upload
SHA-256 | c73f8131d8b7af1c98eaee0158df5332fbfc1b52e29e3faae8acbe5a3fe2ab6f

RADactive I-Load XSS / Disclosure / Upload

Change Mirror Download
SEC Consult Security Advisory < 20090917-0 >
=======================================================================
title: Multiple Vulnerabilities in RADactive I-Load
products: RADactive I-Load
vulnerable version: <= I-Load 2008.2.4.0
fixed version: I-Load 2008.2.5.0
impact: critical
homepage: http://i-load.radactive.com/
found: 2009-07-20
by: S. Streichsbier / SEC Consult / www.sec-consult.com
=======================================================================

Vendor description:
-------------------
I-Load is an ASP.NET component explicitly created to manage image uploading
within ASP.NET applications. Unlike other image manipulation libraries,
I-Load uses a sophisticated graphical interface which allows the uploading,
resizing, cropping and rotating of photos.

source: http://i-load.radactive.com/en/documentation/

Vulnerability overview/description:
-----------------------------------
The I-Load component contains multiple vulnerabilities which are described
below.

* Path Disclosure:
******************

The WebCoreModule.ashx script prints the absolute path of the folder
name, where
images are saved to, in some requests and responses. This can help an
attacker
with the exploitation of the also existing file disclosure vulnerability.

* Cross Site Scripting:
***********************

Most of the parameters used by WebcodeModule.ashx start with two
underscores
"__" which disables the build-in ASP.NET "Anti Cross Site Scripting"
functionality. Some parameters are not sufficiently validated and can be
exploited to inject arbitrary JavaScript into the response.


* File Disclosure:
******************

WebCoreModule.ashx can be exploited by the means of path traversal to read
arbitrary files on the server given that the file permissions allow it. An
attacker is able to gain sensitive data such as configuration files
(e.g. Web.config), the whole source code of the application or other
sensitive
data on the server.


* Arbitrary File Upload:
************************

It is potentially possible to upload an arbitrary file using the I-Load
Webcontrol with a user-defined file extension. The filename itself is
dynamically generated, but it is possible to reproduce that parameter in
advance. The file remains on the server for a very short period of time.
Nevertheless, during this time frame it could be possible to execute
that file
and thus compromise the affected server.

Proof of Concept:
-----------------
SEC Consult will not release proof of concept exploits to the public.

Vulnerable versions:
--------------------
RADactive I-Load 2008.2.4.0

Prior versions are most likely also vulnerable.

Solution:
---------
Immediately upgrade to version 2008.2.5.0 which is available at
http://i-load.radactive.com/en/download/.

Changelog: http://radnet.radactive.com/forum/Default.aspx?g=posts&t=339

Vendor contact time line:
------------------------
2009-09-01: Contacting RADactive.
2009-09-02: Reply from RADactive.
2009-09-02: Preliminary advisory with full vulnerability details was sent to
RADactive.
2009-09-09: Reply from RADactive, vulnerabilities have been fixed and a new
version has been released.
2009-09-10: Final version of the advisory sent to RADactive and release date
was scheduled.
2009-09-10: Reply from RADactive.
2009-09-17: Release of the advisory.

Advisory URL:
-------------
https://www.sec-consult.com/advisories_e.html#a62

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to https://www.sec-consult.com/academy_e.html

EOF S. Streichsbier / @2009
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close