Aspupload installs exploitable scripts

Type securityvulns
Reporter Securityvulns
Modified 2001-12-01T00:00:00


Title: ASPUPLOAD Installs Exploitable Scripts By Default

Author: Brett Moore

Systems Affected: Version 2.1 On Windows Version 3.0 Was Not Available For Testing

Release Date: 30/11/2001 Vendor Contacted: 31/10/2001 Vendor Responded:31/10/2001

The problem: Sample scripts are installed by default upon an installation of Aspupload. The sample folder is then shared for web access. One of these scripts demonstrates the capabilities to upload and rename a file. The form used in this demonstration has a hidden field that holds the name of the the new uploaded file. The script is hard coded to upload to c:\upload but because there is no checking for ../ in the file save code we can traverse outside this folder and place the file anywhere on the drive. This is limited to folders on c:\ in the case of this sample file. Another script allows directory browsing and file downloading.

Risk: Attackers can easily browse and download any file on the system with the rights of the web server. Attackers can upload files to the server and run them from executable web folders.

Details: Download: Samples Installed To: C:\Program Files\Persits Software\AspUpload\Samples

    Vulnerable Script:      UploadScript11.asp
    Vulnerable Form:        Test11.asp

    Vulnerable Code: 
            Path = "c:\upload\" & Upload.Form

("Filename") File.SaveAs Path

    Vulnerable Script:      DirectoryListing.asp

Vendor Replied: "Most potentially dangerous features can be disabled by the system admin via registry settings. It is described in the manual."

Quick Fix: Sample scripts should never be installed on a live server. Unfortunately there is no option when installing aspupload. The sample files should be removed.

Recommendation: In the help file it does indeed have registry settings for restricting uploads. I tested these and it may depend on the individual setup as to wether this is still exploitable. If using aspupload in scripts on your server then we recommend reviewing these registry settings and testing for this bug. You should ensure that the scripts have adequate checking for exploits of this type.

Disclaimer: It wasn't me