TX Text Control .NET Server For ASP.NET Arbitrary File Read / Write
2024-11-14 00:7:45 Author: packetstormsecurity.com(查看原文) 阅读量:4 收藏

Hej,

Let's keep it short ...

=====

Intro

=====

A "sudo make me a sandwich" security issue has been identified in the TX
Text

Control .NET Server for ASP.NET[1].

According to the vendor[2], "the most powerful, MS Word compatible document

editor that runs in all browsers".

Likely all versions are affected however, it was not confirmed.

=====

Issue

=====

It was possible to change the configured system path for reading and writing

files in the underlying operating system with privileges of the user
running a

web application. This could be achieved by calling the setfiledirectory()

function exposed via JavaScript API[3].

===

PoC

===

-- cut --

TXTextControl.setFileDirectory(0, "c:\\")

-- cut --

See also the attached image file for details.

===========

Remediation

===========

Contact the vendor[4] directly for remediation guidance.

========

Timeline

========

14.10.2024: Security contact requested from [email protected]
.

31.10.2024: CVE requested from MITRE.

......2024: Nobody cares.

12.11.2024: The advisory has been released.

==========

References

==========

[1]
https://www.textcontrol.com/products/asp-dotnet/tx-text-control-dotnet-server/overview/

[2] https://www.textcontrol.com

[3]
https://docs.textcontrol.com/textcontrol/asp-dotnet/ref.javascript.txtextcontrol.setfiledirectory.method.htm

[4] https://www.textcontrol.com/contact/email/general/

Cheers,

Filip Palian


文章来源: https://packetstormsecurity.com/files/182654/txtextcontrol-fileread.txt
如有侵权请联系:admin#unsafe.sh