Headline
TX Text Control .NET Server For ASP.NET Arbitrary File Read / Write
TX Text Control .NET Server For ASP.NET has an issue where it was possible to change the configured system path for reading and writing files in the underlying operating system with privileges of the user running a web application.
Hej,
Let’s keep it short …
=====
Intro
=====
A “sudo make me a sandwich” security issue has been identified in the TX
Text
Control .NET Server for ASP.NET[1].
According to the vendor[2], "the most powerful, MS Word compatible document
editor that runs in all browsers".
Likely all versions are affected however, it was not confirmed.
=====
Issue
=====
It was possible to change the configured system path for reading and writing
files in the underlying operating system with privileges of the user
running a
web application. This could be achieved by calling the setfiledirectory()
function exposed via JavaScript API[3].
===
PoC
===
– cut –
TXTextControl.setFileDirectory(0, “c:\”)
– cut –
See also the attached image file for details.
===========
Remediation
===========
Contact the vendor[4] directly for remediation guidance.
========
Timeline
========
14.10.2024: Security contact requested from [email protected]
.
31.10.2024: CVE requested from MITRE.
…2024: Nobody cares.
12.11.2024: The advisory has been released.
==========
References
==========
[1]
https://www.textcontrol.com/products/asp-dotnet/tx-text-control-dotnet-server/overview/
[2] https://www.textcontrol.com
[3]
https://docs.textcontrol.com/textcontrol/asp-dotnet/ref.javascript.txtextcontrol.setfiledirectory.method.htm
[4] https://www.textcontrol.com/contact/email/general/
Cheers,
Filip Palian