lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAN10O-ZYhLygp5dhZtAb_nqH-Xo_ccihWtdRmxVusSXQY_1UOw@mail.gmail.com>
Date: Tue, 12 Nov 2024 11:51:22 +1100
From: Filip Palian <s3810@...stk.edu.pl>
To: fulldisclosure@...lists.org
Subject: [FD] Security issue in the TX Text Control .NET Server for ASP.NET.

Hej,


Let's keep it short ...


=====

Intro

=====

A "sudo make me a sandwich" security issue has been identified in the TX
Text

Control .NET Server for ASP.NET[1].

According to the vendor[2], "the most powerful, MS Word compatible document

editor that runs in all browsers".

Likely all versions are affected however, it was not confirmed.


=====

Issue

=====

It was possible to change the configured system path for reading and writing

files in the underlying operating system with privileges of the user
running a

web application. This could be achieved by calling the setfiledirectory()

function exposed via JavaScript API[3].


===

PoC

===

-- cut --

TXTextControl.setFileDirectory(0, "c:\\")

-- cut --


See also the attached image file for details.


===========

Remediation

===========

Contact the vendor[4] directly for remediation guidance.


========

Timeline

========

14.10.2024: Security contact requested from sales.department@...tcontrol.com
.

31.10.2024: CVE requested from MITRE.

......2024: Nobody cares.

12.11.2024: The advisory has been released.


==========

References

==========

[1]
https://www.textcontrol.com/products/asp-dotnet/tx-text-control-dotnet-server/overview/

[2] https://www.textcontrol.com

[3]
https://docs.textcontrol.com/textcontrol/asp-dotnet/ref.javascript.txtextcontrol.setfiledirectory.method.htm

[4] https://www.textcontrol.com/contact/email/general/



Cheers,

Filip Palian

Download attachment "poc.png" of type "image/png" (430841 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ