The web application is vulnerable to multiple security vulnerabilities, such as
unauthenticated file upload and XML eXternal Entities (XXE) injection.
1. Unauthenticated File Upload:
The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing.
2. XXE Injection:
The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to scan behind perimeter firewalls or possibly include files from the local file system e.g.
- Upgrade to version 8.6 and remove the /WorkArea/Blogs/xmlrpc.aspx file.
- Drupal 7 arbitrary PHP code execution and information disclosure
- WordPress Plugin Wordpress Forms Multiple Vulnerabilities (0.2.7.1)
- WordPress Plugin Remote Upload Arbitrary File Upload (1.2.1)
- WordPress Plugin WooCommerce Products Filter Multiple Vulnerabilities (22.214.171.124)
- WordPress Plugin RokIntroScroller Multiple Vulnerabilities (1.8)