Security
Headlines
HeadlinesLatestCVEs

Headline

TX Text Control .NET Server For ASP.NET Arbitrary File Read / Write

TX Text Control .NET Server For ASP.NET has an issue where it was possible to change the configured system path for reading and writing files in the underlying operating system with privileges of the user running a web application.

Packet Storm
#web#java#asp.net

Hej,

Let’s keep it short …

=====

Intro

=====

A “sudo make me a sandwich” security issue has been identified in the TX
Text

Control .NET Server for ASP.NET[1].

According to the vendor[2], "the most powerful, MS Word compatible document

editor that runs in all browsers".

Likely all versions are affected however, it was not confirmed.

=====

Issue

=====

It was possible to change the configured system path for reading and writing

files in the underlying operating system with privileges of the user
running a

web application. This could be achieved by calling the setfiledirectory()

function exposed via JavaScript API[3].

===

PoC

===

– cut –

TXTextControl.setFileDirectory(0, “c:\”)

– cut –

See also the attached image file for details.

===========

Remediation

===========

Contact the vendor[4] directly for remediation guidance.

========

Timeline

========

14.10.2024: Security contact requested from [email protected]
.

31.10.2024: CVE requested from MITRE.

…2024: Nobody cares.

12.11.2024: The advisory has been released.

==========

References

==========

[1]
https://www.textcontrol.com/products/asp-dotnet/tx-text-control-dotnet-server/overview/

[2] https://www.textcontrol.com

[3]
https://docs.textcontrol.com/textcontrol/asp-dotnet/ref.javascript.txtextcontrol.setfiledirectory.method.htm

[4] https://www.textcontrol.com/contact/email/general/

Cheers,

Filip Palian

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution