AspUpload Default Configuration Installs Scripts That Allow Remote Users to Upload Arbitrary Files to the Server and Rename Those Files
SecurityTracker Alert ID: 1002878|
SecurityTracker URL: http://securitytracker.com/id/1002878
(Links to External Site)
Date: Dec 1 2001
Modification of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Version 2.1; other versions may be affected.|
A configuration vulnerability has been reported in AspUpload. A remote user can upload and rename files in its default configuration.|
It is reported that some potentially dangerous scripts are installed as part of the default configuration, including one (UploadScript11.asp) that allows remote users to upload and rename a file. A remote user can upload to any location on the server's c:\ drive by specifying a hidden variable contained in the Test11.asp HTML form. Another script reportedly allows a remote user to browse directories and download files.
It is reported that there is no option when installing the software to forbid sample scripts from being installed.
A remote user can upload and rename files in its default configuration.|
The vendor has indicated that most of the potentially dangerous features can be disabled by the system administrator by modifying the registry settings as described in the manual.|
The author of the report recommends removing the sample files.
Vendor URL: www.aspupload.com/ (Links to External Site)
|Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)|
Source Message Contents
Date: 30 Nov 2001 04:52:41 -0000|
Subject: Aspupload installs exploitable scripts
Title: ASPUPLOAD Installs Exploitable Scripts By
Author: Brett Moore
Version 2.1 On Windows
Version 3.0 Was Not Available For Testing
Release Date: 30/11/2001
Vendor Contacted: 31/10/2001
Sample scripts are installed by default upon
an installation of Aspupload.
The sample folder is then shared for web
One of these scripts demonstrates the
capabilities to upload and rename a file.
The form used in this demonstration has a
hidden field that holds the name of the
the new uploaded file.
The script is hard coded to upload to
c:\upload but because there is no checking
for ../ in the file save code we can traverse
outside this folder and place the
file anywhere on the drive.
This is limited to folders on c:\ in the case
of this sample file.
Another script allows directory browsing
and file downloading.
Attackers can easily browse and download
any file on the system with the rights
of the web server.
Attackers can upload files to the server and
run them from executable web folders.
Samples Installed To: C:\Program
Vulnerable Script: UploadScript11.asp
Vulnerable Form: Test11.asp
Path = "c:\upload\" & Upload.Form
Vulnerable Script: DirectoryListing.asp
"Most potentially dangerous features can be
disabled by the system admin via
registry settings. It is described in the
Sample scripts should never be installed on
a live server. Unfortunately there is
no option when installing aspupload. The
sample files should be removed.
In the help file it does indeed have registry
settings for restricting uploads.
I tested these and it may depend on the
individual setup as to wether this is
If using aspupload in scripts on your server
then we recommend reviewing these
registry settings and testing for this bug.
You should ensure that the scripts have
adequate checking for exploits of this type.
It wasn't me