('binary' encoding is not supported, stored as-is) Title: ASPUPLOAD Installs Exploitable Scripts By Default http://www.aspupload.com/ Author: Brett Moore brettat_private Systems Affected: Version 2.1 On Windows Version 3.0 Was Not Available For Testing Release Date: 30/11/2001 Vendor Contacted: 31/10/2001 Vendor Responded:31/10/2001 The problem: Sample scripts are installed by default upon an installation of Aspupload. The sample folder is then shared for web access. One of these scripts demonstrates the capabilities to upload and rename a file. The form used in this demonstration has a hidden field that holds the name of the the new uploaded file. The script is hard coded to upload to c:\upload but because there is no checking for ../ in the file save code we can traverse outside this folder and place the file anywhere on the drive. This is limited to folders on c:\ in the case of this sample file. Another script allows directory browsing and file downloading. Risk: Attackers can easily browse and download any file on the system with the rights of the web server. Attackers can upload files to the server and run them from executable web folders. Details: Download: http://www.aspupload.com Samples Installed To: C:\Program Files\Persits Software\AspUpload\Samples Vulnerable Script: UploadScript11.asp Vulnerable Form: Test11.asp Vulnerable Code: Path = "c:\upload\" & Upload.Form ("Filename") File.SaveAs Path Vulnerable Script: DirectoryListing.asp Vendor Replied: "Most potentially dangerous features can be disabled by the system admin via registry settings. It is described in the manual." Quick Fix: Sample scripts should never be installed on a live server. Unfortunately there is no option when installing aspupload. The sample files should be removed. Recommendation: In the help file it does indeed have registry settings for restricting uploads. I tested these and it may depend on the individual setup as to wether this is still exploitable. If using aspupload in scripts on your server then we recommend reviewing these registry settings and testing for this bug. You should ensure that the scripts have adequate checking for exploits of this type. Disclaimer: It wasn't me
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 13:27:46 PST