Multiple Vulnerabilities in RADactive I-Load

SEC Consult Security Advisory < 20090917-0 >

=======================================================================

title: Multiple Vulnerabilities in RADactive I-Load

products: RADactive I-Load

vulnerable version: <= I-Load 2008.2.4.0

fixed version: I-Load 2008.2.5.0

impact: critical

homepage: i-load.radactive.com

found: 2009-07-20

by: S. Streichsbier / SEC Consult / www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

I-Load is an ASP.NET component explicitly created to manage image uploading

within ASP.NET applications. Unlike other image manipulation libraries,

I-Load uses a sophisticated graphical interface which allows the uploading,

resizing, cropping and rotating of photos.

 

source: i-load.radactive.com/en/documentation/

 

Vulnerability overview/description:

-----------------------------------

The I-Load component contains multiple vulnerabilities which are described

below.

 

* Path Disclosure:

******************

 

The WebCoreModule.ashx script prints the absolute path of the folder name, where

images are saved to, in some requests and responses. This can help an attacker

with the exploitation of the also existing file disclosure vulnerability.

 

* Cross Site Scripting:

***********************

 

Most of the parameters used by WebcodeModule.ashx start with two underscores

"__" which disables the build-in ASP.NET "Anti Cross Site Scripting"

functionality. Some parameters are not sufficiently validated and can be

exploited to inject arbitrary JavaScript into the response.

 

 

* File Disclosure:

******************

 

WebCoreModule.ashx can be exploited by the means of path traversal to read

arbitrary files on the server given that the file permissions allow it. An

attacker is able to gain sensitive data such as configuration files

(e.g. Web.config), the whole source code of the application or other sensitive

data on the server.

 

 

* Arbitrary File Upload:

************************

 

It is potentially possible to upload an arbitrary file using the I-Load

Webcontrol with a user-defined file extension. The filename itself is

dynamically generated, but it is possible to reproduce that parameter in

advance. The file remains on the server for a very short period of time.

Nevertheless, during this time frame it could be possible to execute that file

and thus compromise the affected server.

 

Proof of Concept:

-----------------

SEC Consult will not release proof of concept exploits to the public.

 

Vulnerable versions:

--------------------

RADactive I-Load 2008.2.4.0

 

Prior versions are most likely also vulnerable.

 

Solution:

---------

Immediately upgrade to version 2008.2.5.0 which is available at

i-load.radactive.com/en/download/.

 

Changelog: radnet.radactive.com/forum/Default.aspx

 

Vendor contact time line:

------------------------

2009-09-01: Contacting RADactive.

2009-09-02: Reply from RADactive.

2009-09-02: Preliminary advisory with full vulnerability details was sent to

RADactive.

2009-09-09: Reply from RADactive, vulnerabilities have been fixed and a new

version has been released.

2009-09-10: Final version of the advisory sent to RADactive and release date

was scheduled.

2009-09-10: Reply from RADactive.

2009-09-17: Release of the advisory.

 

Advisory URL:

-------------

www.sec-consult.com/advisories_e.html

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

SEC Consult conducts periodical information security workshops on ISO

27001/BS 7799 in cooperation with BSI Management Systems. For more

information, please refer to www.sec-consult.com/academy_e.html

 

EOF S. Streichsbier / @2009