- The web application is vulnerable to multiple security vulnerabilities, such as unauthenticated file upload and XML eXternal Entities (XXE) injection. <br/><br/> <strong>1. Unauthenticated File Upload: </strong><br/> The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing. <br/><br/> <strong>2. XXE Injection: </strong><br/> The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to scan behind perimeter firewalls or possibly include files from the local file system e.g.
- Upgrade to version 8.6 and remove the /WorkArea/Blogs/xmlrpc.aspx file.