Check Box 2016 Q2 Survey Directory Traversal / Open Redirection

`# Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities  
# Exploit Author: Fady Mohamed Osman (@fady_osman)  
# Exploit-db : http://www.exploit-db.com/author/?a=2986  
# Youtube : https://www.youtube.com/user/cutehack3r  
# Date: Jan 17, 2017  
# Vendor Homepage: https://www.checkbox.com/  
# Software Link: https://www.checkbox.com/free-checkbox-trial/  
# Version: Check Box 2016 Q2,Check Box 2016 Q4 - Fixed in Checkbox Survey,  
Inc. v6.7  
# Tested on: Check Box 2016 Q2 Trial on windows Server 2012.  
# Description : Checkbox is a survey application deployed by a number of  
highly profiled companies and government entities like Microsoft, AT&T,  
Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret  
Service, U.S. Necular Regulatory Comission, UNAIDS, State Of California  
and more!!  
  
For a full list of their clients please visit:  
https://www.checkbox.com/clients/  
  
1- Directory traversal vulnerability : For example to download the  
web.config file we can send a request as the following:  
http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config  
  
2- Direct Object Reference :  
attachments to surveys can be accessed directly without login as the  
following:  
https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001  
I created a script that can bruteforce the numbers to find ID's that will  
download the attachment and you can easily write one on your own ;).  
  
3- Open redirection in login page for example:  
https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com  
  
If you can't see why an open redirection is a problem in login page please  
visit the following page:  
https://www.asp.net/mvc/overview/security/preventing-  
open-redirection-attacks  
  
  
Timeline:  
December 2016 - Discovered the vulnerability during Pen. Test conducted by  
ZINAD IT for one of our clients.  
Jan 12,2017 - Reported to vendor.  
Jan 15,2017 - Sent a kind reminder to the vendor.  
Jan 16,2017 - First Vendor Response said they will only consider directory  
traversal as a vulnerability and that a fix will be sent in the next day.  
Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem.  
Jan 17,2017 - Patch Release Fixed the Directory Traversal.  
Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont  
be fixed.  
Jan 17,2017 - Open redirection confirmed to be fixed in the same patch  
released before for DOR the vendor said they didn't believe that's a  
security concern and that they have added a warning to let users know that  
their attachments will be available to anyone with access to that survey page !!  
  
`