The web application is vulnerable to multiple security vulnerabilities, such as
unauthenticated file upload and XML eXternal Entities (XXE) injection.
1. Unauthenticated File Upload:
The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing.
2. XXE Injection:
The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to scan behind perimeter firewalls or possibly include files from the local file system e.g.
- Upgrade to version 8.6 and remove the /WorkArea/Blogs/xmlrpc.aspx file.
- WordPress Plugin Wordpress Forms Multiple Vulnerabilities (0.2.7.1)
- WordPress Plugin MAC PHOTO GALLERY 'upload-file.php' Arbitrary File Upload (2.7)
- WordPress Plugin PDW Media File Browser 'upload.php' Arbitrary File Upload (1.1)
- WordPress Plugin NextGEN Gallery-WordPress Gallery Arbitrary File Upload (1.9.12)
- WordPress Plugin Resume Submissions & Job Postings Arbitrary File Upload (2.5.1)