TX Text Control .NET Server For ASP.NET Arbitrary File Read / Write
Hej,
Let’s keep it short …
=====
Intro
=====
A “sudo make me a sandwich” security issue has been identified in the TX
Text
Control .NET Server for ASP.NET[1].
According to the vendor[2], “the most powerful, MS Word compatible document
editor that runs in all browsers”.
Likely all versions are affected however, it was not confirmed.
=====
Issue
=====
It was possible to change the configured system path for reading and writing
files in the underlying operating system with privileges of the user
running a
web application. This could be achieved by calling the setfiledirectory()
function exposed via JavaScript API[3].
===
PoC
===
— cut —
TXTextControl.setFileDirectory(0, “c:\\”)
— cut —
See also the attached image file for details.
===========
Remediation
===========
Contact the vendor[4] directly for remediation guidance.
========
Timeline
========
14.10.2024: Security contact requested from [email protected]
.
31.10.2024: CVE requested from MITRE.
……2024: Nobody cares.
12.11.2024: The advisory has been released.
==========
References
==========
[1]https://www.textcontrol.com/products/asp-dotnet/tx-text-control-dotnet-server/overview/ [2] https://www.textcontrol.com [3]https://docs.textcontrol.com/textcontrol/asp-dotnet/ref.javascript.txtextcontrol.setfiledirectory.method.htm [4] https://www.textcontrol.com/contact/email/general/Cheers,
Filip Palian