Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18930
HistoryJan 24, 2008 - 12:00 a.m.

Web Wiz Rich Text Editor Directory traversal + HTM/HTML file creation on the server

2008-01-2400:00:00
vulners.com
23
JSON

########################## WwW.BugReport.ir
###########################################

AmnPardaz Security Research Team

Title: Web Wiz Rich Text Editor(TM)

Vendor: http://www.webwizguide.com/

Bug: Directory traversal + HTM/HTML file creation on the server

Vulnerable Version: 4.0

Exploit: Available

Fix Available: No! Fast Solution is available.

###################################################################################

####################

  • Description:
    ####################
    Web Wiz Rich Text Editor (RTE) is a free WYSIWYG HTML Rich Text Editor
    that replaces standard textarea's with an advanced Word style HTMLarea.

####################

  • Vulnerability:
    ####################
    Input passed to the FolderName parameter in "RTE_file_browser.asp" is
    not properly sanitised before being used. This can be exploited to
    list directories, list txt and list zip files through directory
    traversal attacks.
    Also, "RTE_file_browser.asp" does not check user's session and an
    unauthenticated attacker can perform this attack.
    Moreover, by using "RTE_popup_save_file.asp" attacker can make his/her
    HTML or HTM file on the server, so this can be used in XSS attacks or
    making fake pages.

-POC:
http://[WebWiz
RTE]/RTE_file_browser.asp?look=save&sub=\…\\\…\\\…\\\…\\\…\\\
http://[WebWiz RTE]/RTE_popup_save_file.asp

####################

  • Fast Solution :
    ####################
    1- You can see below lines in "RTE_file_browser.asp"

      'Stip path tampering for security reasons
  strSubFolderName = Replace(strSubFolderName, "../", "", 1, -1, 1)
  strSubFolderName = Replace(strSubFolderName, "..\", "", 1, -1, 1)
  strSubFolderName = Replace(strSubFolderName, "./", "", 1, -1, 1)
  strSubFolderName = Replace(strSubFolderName, ".\", "", 1, -1, 1)

Only add this to them:
strSubFolderName = Replace(strSubFolderName, "/", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "\\", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "…", "", 1, -1, 1)
2- Rename "RTE_popup_save_file.asp" till main solution by vendor

####################

JSON