Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Aspupload installs exploitable scripts

From: <brett () softwarecreations co nz>
Date: 30 Nov 2001 04:52:41 -0000


Title:  ASPUPLOAD Installs Exploitable Scripts By 
Default
        http://www.aspupload.com/

Author: Brett Moore
        brett () softwarecreations co nz

Systems Affected:
        Version 2.1 On Windows 
        Version 3.0 Was Not Available For Testing

Release Date:   30/11/2001
Vendor Contacted:  31/10/2001
Vendor Responded:31/10/2001 

The problem:
        Sample scripts are installed by default upon 
an installation of Aspupload.
        The sample folder is then shared for web 
access.
        One of these scripts demonstrates the 
capabilities to upload and rename a file.
        The form used in this demonstration has a 
hidden field that holds the name of the
        the new uploaded file. 
        The script is hard coded to upload to 
c:\upload but because there is no checking
        for ../ in the file save code we can traverse 
outside this folder and place the
        file anywhere on the drive. 
        This is limited to folders on c:\ in the case 
of this sample file.
        Another script allows directory browsing 
and file downloading.

Risk:
        Attackers can easily browse and download 
any file on the system with the rights 
        of the web server.
        Attackers can upload files to the server and 
run them from executable web folders.
       
Details:
        Download:       
        http://www.aspupload.com
        Samples Installed To:   C:\Program 
Files\Persits Software\AspUpload\Samples

        Vulnerable Script:      UploadScript11.asp
        Vulnerable Form:        Test11.asp

        Vulnerable Code: 
                Path = "c:\upload\" & Upload.Form
("Filename")
                File.SaveAs Path

        Vulnerable Script:      DirectoryListing.asp

Vendor Replied:
        "Most potentially dangerous features can be 
disabled by the system admin via
        registry settings. It is described in the 
manual."


Quick Fix:
        Sample scripts should never be installed on 
a live server. Unfortunately there is
        no option when installing aspupload. The 
sample files should be removed.

Recommendation:
        In the help file it does indeed have registry 
settings for restricting uploads.
        I tested these and it may depend on the 
individual setup as to wether this is
        still exploitable.
        If using aspupload in scripts on your server 
then we recommend reviewing these
        registry settings and testing for this bug.
        You should ensure that the scripts have 
adequate checking for exploits of this type.

Disclaimer:
        It wasn't me
Previous By Date Next
Previous By Thread Next

Current thread: