CVE-2015-4670 - AjaxControlToolkit File Upload Directory Traversal

The AjaxControlToolkit prior to version 15.1 has a file upload directory
traversal vulnerability which on a poorly configured web server can lead to
remote code execution.

The issue affects any application using the AjaxFileUpload control. The
vulnerability arises because the =E2=80=9CfileId=E2=80=9D is not validated =
and can be
altered by the user to contain directory traversal characters (\…\…\…\)
allowing an attacker to write the uploaded file to any location on the file
system that the web server=E2=80=99s file permissions allow.

The "fileid" parameter is passed when uploading files. Intercepting the
request and modifying the value of "fileid" to a directory path will result
in the file being uploaded to be placed in the location on the remote
server as long as file system permissions allow. If an attacker is capable
of writing an arbitrary file to the server's web directory then remote code
execution is possible. A demonstration of this is written here:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=&gt;
e-code-execution-in-ajaxcontroltoolkit/

This issue has been reported to the vendor and an updated version of the
library has been made available.

CVE Number: CVE-2015-4670

Discovered by: Brian Cardinale

Write Up:
http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot= <http://www.cardinaleconcepts.com/cve-2015-4670-directory-traversal-to-remot=&gt;
e-code-execution-in-ajaxcontroltoolkit/

Sample Vuln App: https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr= <https://bitbucket.org/bcardinale/cve-2015-4670-vuln-app/sr=&gt;
c
Affected Versions:

• 7.1213.0
• 7.1005.0
• 7.1002.0
• 7.930.0
• 7.725.0
• 7.607.0
• 7.429.0