SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   AspUpload Vendors:   Persits Software, Inc.
AspUpload Default Configuration Installs Scripts That Allow Remote Users to Upload Arbitrary Files to the Server and Rename Those Files
SecurityTracker Alert ID:  1002878
SecurityTracker URL:  http://securitytracker.com/id/1002878
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 1 2001
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Version 2.1; other versions may be affected.
Description:   A configuration vulnerability has been reported in AspUpload. A remote user can upload and rename files in its default configuration.

It is reported that some potentially dangerous scripts are installed as part of the default configuration, including one (UploadScript11.asp) that allows remote users to upload and rename a file. A remote user can upload to any location on the server's c:\ drive by specifying a hidden variable contained in the Test11.asp HTML form. Another script reportedly allows a remote user to browse directories and download files.

It is reported that there is no option when installing the software to forbid sample scripts from being installed.

Impact:   A remote user can upload and rename files in its default configuration.
Solution:   The vendor has indicated that most of the potentially dangerous features can be disabled by the system administrator by modifying the registry settings as described in the manual.

The author of the report recommends removing the sample files.

Vendor URL:  www.aspupload.com/ (Links to External Site)
Cause:   Configuration error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Date:  30 Nov 2001 04:52:41 -0000
Subject:  Aspupload installs exploitable scripts




Title:  ASPUPLOAD Installs Exploitable Scripts By 
Default
	http://www.aspupload.com/

Author: Brett Moore
	brett@softwarecreations.co.nz

Systems Affected:
	Version 2.1 On Windows 
	Version 3.0 Was Not Available For Testing

Release Date:	30/11/2001
Vendor Contacted:  31/10/2001
Vendor Responded:31/10/2001 

The problem:
	Sample scripts are installed by default upon 
an installation of Aspupload.
	The sample folder is then shared for web 
access.
	One of these scripts demonstrates the 
capabilities to upload and rename a file.
	The form used in this demonstration has a 
hidden field that holds the name of the
	the new uploaded file. 
	The script is hard coded to upload to 
c:\upload but because there is no checking
	for ../ in the file save code we can traverse 
outside this folder and place the
	file anywhere on the drive. 
	This is limited to folders on c:\ in the case 
of this sample file.
	Another script allows directory browsing 
and file downloading.

Risk:
	Attackers can easily browse and download 
any file on the system with the rights 
	of the web server.
	Attackers can upload files to the server and 
run them from executable web folders.
       
Details:
	Download: 	
	http://www.aspupload.com
	Samples Installed To: 	C:\Program 
Files\Persits Software\AspUpload\Samples

	Vulnerable Script: 	UploadScript11.asp
	Vulnerable Form:	Test11.asp

	Vulnerable Code: 
		Path = "c:\upload\" & Upload.Form
("Filename")
		File.SaveAs Path

	Vulnerable Script:	DirectoryListing.asp

Vendor Replied:
	"Most potentially dangerous features can be 
disabled by the system admin via
	registry settings. It is described in the 
manual."


Quick Fix:
	Sample scripts should never be installed on 
a live server. Unfortunately there is
	no option when installing aspupload. The 
sample files should be removed.

Recommendation:
	In the help file it does indeed have registry 
settings for restricting uploads.
	I tested these and it may depend on the 
individual setup as to wether this is
	still exploitable.
	If using aspupload in scripts on your server 
then we recommend reviewing these
	registry settings and testing for this bug.
	You should ensure that the scripts have 
adequate checking for exploits of this type.

Disclaimer:
	It wasn't me

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC