OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: brettsoftwarecreations.co.nz
Date: Thu Nov 29 2001 - 22:52:41 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Title: ASPUPLOAD Installs Exploitable Scripts By
    Default
            http://www.aspupload.com/

    Author: Brett Moore
            brettsoftwarecreations.co.nz

    Systems Affected:
            Version 2.1 On Windows
            Version 3.0 Was Not Available For Testing

    Release Date: 30/11/2001
    Vendor Contacted: 31/10/2001
    Vendor Responded:31/10/2001

    The problem:
            Sample scripts are installed by default upon
    an installation of Aspupload.
            The sample folder is then shared for web
    access.
            One of these scripts demonstrates the
    capabilities to upload and rename a file.
            The form used in this demonstration has a
    hidden field that holds the name of the
            the new uploaded file.
            The script is hard coded to upload to
    c:\upload but because there is no checking
            for ../ in the file save code we can traverse
    outside this folder and place the
            file anywhere on the drive.
            This is limited to folders on c:\ in the case
    of this sample file.
            Another script allows directory browsing
    and file downloading.

    Risk:
            Attackers can easily browse and download
    any file on the system with the rights
            of the web server.
            Attackers can upload files to the server and
    run them from executable web folders.
           
    Details:
            Download:
            http://www.aspupload.com
            Samples Installed To: C:\Program
    Files\Persits Software\AspUpload\Samples

            Vulnerable Script: UploadScript11.asp
            Vulnerable Form: Test11.asp

            Vulnerable Code:
                    Path = "c:\upload\" & Upload.Form
    ("Filename")
                    File.SaveAs Path

            Vulnerable Script: DirectoryListing.asp

    Vendor Replied:
            "Most potentially dangerous features can be
    disabled by the system admin via
            registry settings. It is described in the
    manual."


    Quick Fix:
            Sample scripts should never be installed on
    a live server. Unfortunately there is
            no option when installing aspupload. The
    sample files should be removed.

    Recommendation:
            In the help file it does indeed have registry
    settings for restricting uploads.
            I tested these and it may depend on the
    individual setup as to wether this is
            still exploitable.
            If using aspupload in scripts on your server
    then we recommend reviewing these
            registry settings and testing for this bug.
            You should ensure that the scripts have
    adequate checking for exploits of this type.

    Disclaimer:
            It wasn't me