Description
Brian Cardinale reported a file upload directory traversal vulnerability that affects the AjaxControlToolkit prior to version 15.1. On a poorly configured web server this vulnerability can lead to remote code execution. The flaw was introduced in version 7.429 which was released on April 30, 2013. The latest vulnerable version is 7.1213.
List of vulnerable versions:
- 7.1213.0
- 7.1005.0
- 7.1002.0
- 7.930.0
- 7.725.0
- 7.607.0
- 7.429.0
Remediation
It's recommended to upgrade to the latest version of AjaxControlToolkit.
References
Related Vulnerabilities
WordPress Plugin AccessAlly PHP Code Execution (3.3.1)
WordPress Plugin Groundhogg-Marketing Automation & CRM for WordPress Remote Code Execution (1.3.4)
WordPress Plugin Resume Submissions & Job Postings Arbitrary File Upload (2.5.1)
WordPress Plugin Photo Gallery, Images, Slider in Rbs Image Gallery Remote Code Execution (2.0.14)