Web Wiz Rich Text Editor Directory traversal + HTM/HTML file

看板Bugtraq作者admin.時間18年前 (2008/01/24 00:59)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

########################## WwW.BugReport.ir =20 ########################################### # # AmnPardaz Security Research Team # # Title: Web Wiz Rich Text Editor(TM) # Vendor: http://www.webwizguide.com/ # Bug: Directory traversal + HTM/HTML file creation on the server # Vulnerable Version: 4.0 # Exploit: Available # Fix Available: No! Fast Solution is available. ############################################################################= ####### #################### - Description: #################### Web Wiz Rich Text Editor (RTE) is a free WYSIWYG HTML Rich Text Editor =20 that replaces standard textarea's with an advanced Word style HTMLarea. #################### - Vulnerability: #################### Input passed to the FolderName parameter in "RTE_file_browser.asp" is =20 not properly sanitised before being used. This can be exploited to =20 list directories, list txt and list zip files through directory =20 traversal attacks. Also, "RTE_file_browser.asp" does not check user's session and an =20 unauthenticated attacker can perform this attack. Moreover, by using "RTE_popup_save_file.asp" attacker can make his/her =20 HTML or HTM file on the server, so this can be used in XSS attacks or =20 making fake pages. -POC: http://[WebWiz =20 RTE]/RTE_file_browser.asp?look=3Dsave&sub=3D\.....\\\.....\\\.....\\\.....\\= \.....\\\ http://[WebWiz RTE]/RTE_popup_save_file.asp #################### - Fast Solution : #################### 1- You can see below lines in "RTE_file_browser.asp" =09'Stip path tampering for security reasons =09strSubFolderName =3D Replace(strSubFolderName, "../", "", 1, -1, 1) =09strSubFolderName =3D Replace(strSubFolderName, "..\", "", 1, -1, 1) =09strSubFolderName =3D Replace(strSubFolderName, "./", "", 1, -1, 1) =09strSubFolderName =3D Replace(strSubFolderName, ".\", "", 1, -1, 1) Only add this to them: =09strSubFolderName =3D Replace(strSubFolderName, "/", "\", 1, -1, 1) =09strSubFolderName =3D Replace(strSubFolderName, "\\", "\", 1, -1, 1) =09strSubFolderName =3D Replace(strSubFolderName, "..", "", 1, -1, 1) 2- Rename "RTE_popup_save_file.asp" till main solution by vendor #################### - Credit : #################### Original Advisory: http://www.bugreport.ir/?/31 AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 admin. 的文章

文章代碼(AID): #17bt9c00 (Bugtraq)