vendor:
Web Wiz Rich Text Editor
by:
AmnPardaz Security Research Team
N/A
CVSS
N/A
Directory traversal + HTM/HTML file creation on the server
CWE
Product Name: Web Wiz Rich Text Editor
Affected Version From: 4
Affected Version To:
Patch Exists: No
Related CWE:
CPE:
Platforms Tested:
Unknown
Web Wiz Rich Text Editor(TM)
Input passed to the FolderName parameter in "RTE_file_browser.asp" is not properly sanitised before being used. This can be exploited to list directories, list txt and list zip files through directory traversal attacks. Also, "RTE_file_browser.asp" does not check user's session and an unauthenticated attacker can perform this attack. Moreover, by using "RTE_popup_save_file.asp" attacker can make his/her HTML or HTM file on the server, so this can be used in XSS attacks or making fake pages.
Mitigation:
Add the provided code to the affected lines in "RTE_file_browser.asp" to fix the vulnerability.