Check Box 2016 Q2 Survey - Multiple Vulnerabilities

ID 1337DAY-ID-26717
Type zdt
Reporter Fady Mohammed Osman
Modified 2017-01-17T00:00:00


Exploit for asp platform in category web applications

                                            # Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db :
# Youtube :
# Date: Jan 17, 2017
# Vendor Homepage:
# Software Link:
# Version: Check Box 2016 Q2,Check Box 2016 Q4  - Fixed in Checkbox Survey,
Inc. v6.7
# Tested on: Check Box 2016 Q2 Trial on windows Server 2012.
# Description : Checkbox is a survey application deployed by a number of
highly profiled companies and government entities like Microsoft, AT&T,
Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret
Service,  U.S. Necular Regulatory Comission, UNAIDS, State Of California
and more!!
For a full list of their clients please visit:
1- Directory traversal vulnerability : For example to download the
web.config file we can send a request as the following:\..\web.config&n=web.config
2- Direct Object Reference :
attachments to surveys can be accessed directly without login as the
I created a script that can bruteforce the numbers to find ID's that will
download the attachment and you can easily write one on your own ;).
3- Open redirection in login page for example:
If you can't see why an open redirection is a problem in login page please
visit the following page:
December 2016 - Discovered the vulnerability during Pen. Test conducted by
ZINAD IT for one of our clients.
Jan 12,2017 - Reported to vendor.
Jan 15,2017 - Sent a kind reminder to the vendor.
Jan 16,2017 - First Vendor Response said they will only consider directory
traversal as a vulnerability and that a fix will be sent in the next day.
Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem.
Jan 17,2017 - Patch Release Fixed the Directory Traversal.
Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont
be fixed.
Jan 17,2017 - Open redirection confirmed to be fixed in the same patch
released before for DOR the vendor said they didn't believe that's a
security concern and that they have added a warning to let users know that
their attachments will be available to anyone with access to that survey page !!

# [2018-01-10]  #