Hej,<\/p>\n
Let’s keep it short …<\/p>\n
=====<\/p>\n
Intro<\/p>\n
=====<\/p>\n
A “sudo make me a sandwich” security issue has been identified in the TX
Text<\/p>\n
Control .NET Server for ASP.NET[1].<\/p>\n
According to the vendor[2], “the most powerful, MS Word compatible document<\/p>\n
editor that runs in all browsers”.<\/p>\n
Likely all versions are affected however, it was not confirmed.<\/p>\n
=====<\/p>\n
Issue<\/p>\n
=====<\/p>\n
It was possible to change the configured system path for reading and writing<\/p>\n
files in the underlying operating system with privileges of the user
running a<\/p>\n
web application. This could be achieved by calling the setfiledirectory()<\/p>\n
function exposed via JavaScript API[3].<\/p>\n
===<\/p>\n
PoC<\/p>\n
===<\/p>\n
— cut —<\/p>\n
TXTextControl.setFileDirectory(0, “c:\\\\”)<\/p>\n
— cut —<\/p>\n
See also the attached image file for details.<\/p>\n
===========<\/p>\n
Remediation<\/p>\n
===========<\/p>\n
Contact the vendor[4] directly for remediation guidance.<\/p>\n
========<\/p>\n
Timeline<\/p>\n
========<\/p>\n
14.10.2024: Security contact requested from sales.department@textcontrol.com
.<\/p>\n
31.10.2024: CVE requested from MITRE.<\/p>\n
……2024: Nobody cares.<\/p>\n
12.11.2024: The advisory has been released.<\/p>\n
==========<\/p>\n
References<\/p>\n
==========<\/p>\n[1]https:\/\/www.textcontrol.com\/products\/asp-dotnet\/tx-text-control-dotnet-server\/overview\/<\/p>\n[2] https:\/\/www.textcontrol.com<\/p>\n[3]https:\/\/docs.textcontrol.com\/textcontrol\/asp-dotnet\/ref.javascript.txtextcontrol.setfiledirectory.method.htm<\/p>\n[4] https:\/\/www.textcontrol.com\/contact\/email\/general\/<\/p>\n
Cheers,<\/p>\n
Filip Palian<\/p>\n","protected":false},"excerpt":{"rendered":"
Hej, Let’s keep it short … ===== Intro ===== A “sudo make me a sandwich” security issue has been identified in the TXText Control .NET Server for ASP.NET[1]. According to the vendor[2], “the most powerful, MS Word compatible document editor that runs in all browsers”. Likely all versions are affected however, it was not confirmed. …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-60284","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=60284"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60284\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=60284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=60284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=60284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}