Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Web Wiz Rich Text Editor Directory traversal + HTM/HTML file creation on

from [admin] Network Security [Permanent Link]
Subject: Web Wiz Rich Text Editor Directory traversal + HTM/HTML file creation on the server
Date: Wed, 23 Jan 2008 11:06:27 +0330
########################## WwW.BugReport.ir ###########################################
#
# AmnPardaz Security Research Team
#
# Title: Web Wiz Rich Text Editor(TM)
# Vendor: http://www.webwizguide.com/
# Bug: Directory traversal + HTM/HTML file creation on the server
# Vulnerable Version: 4.0
# Exploit: Available
# Fix Available: No! Fast Solution is available.
###################################################################################


####################
- Description:
####################
Web Wiz Rich Text Editor (RTE) is a free WYSIWYG HTML Rich Text Editor that replaces standard textarea's with an advanced Word style HTMLarea.

####################
- Vulnerability:
####################
Input passed to the FolderName parameter in "RTE_file_browser.asp" is not properly sanitised before being used. This can be exploited to list directories, list txt and list zip files through directory traversal attacks.
Also, "RTE_file_browser.asp" does not check user's session and an unauthenticated attacker can perform this attack.
Moreover, by using "RTE_popup_save_file.asp" attacker can make his/her HTML or HTM file on the server, so this can be used in XSS attacks or making fake pages.

-POC:
http://[WebWiz RTE]/RTE_file_browser.asp?look=save&sub=\.....\\\.....\\\.....\\\.....\\\.....\\\
http://[WebWiz RTE]/RTE_popup_save_file.asp

####################
- Fast Solution :
####################
1- You can see below lines in "RTE_file_browser.asp"

        'Stip path tampering for security reasons
        strSubFolderName = Replace(strSubFolderName, "../", "", 1, -1, 1)
        strSubFolderName = Replace(strSubFolderName, "..\", "", 1, -1, 1)
        strSubFolderName = Replace(strSubFolderName, "./", "", 1, -1, 1)
        strSubFolderName = Replace(strSubFolderName, ".\", "", 1, -1, 1)

Only add this to them:
        strSubFolderName = Replace(strSubFolderName, "/", "\", 1, -1, 1)
        strSubFolderName = Replace(strSubFolderName, "\\", "\", 1, -1, 1)
        strSubFolderName = Replace(strSubFolderName, "..", "", 1, -1, 1)
2- Rename "RTE_popup_save_file.asp" till main solution by vendor

####################
- Credit :
####################
Original Advisory: http://www.bugreport.ir/?/31
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com




[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Web Wiz Rich Text Editor Directory traversal + HTM/HTML file creation on the server, admin <=
Previous by Date:  Web Wiz Forums Directory traversal, admin
Next by Date:  Web Wiz NewsPad Directory traversal, admin
Previous by Thread:  Web Wiz Forums Directory traversal, admin
Next by Thread:  Web Wiz NewsPad Directory traversal, admin
Indexes:  [Date] [Thread] [Top] [All Lists]