|
|
|||
| Rule General Information |
|---|
| Release Date: | 2020-12-14 | |
| Rule Name: | FlexDotnetCMS Arbitrary ASP File Upload Vulnerability (CVE-2020-27386) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | An unrestricted file upload issue in FlexDotnetCMS before v1.5.9 allows an authenticated remote attacker to upload and execute arbitrary files by using the FileManager to upload malicious code (e.g., ASP code) in the form of a safe file type (e.g., a TXT file), and then using the FileEditor (in v1.5.8 and prior) or the FileManager's rename function (in v1.5.7 and prior) to rename the file to an executable extension (e.g., ASP), and finally executing the file via an HTTP GET request to / |
|
| Impact: | An attacker could exploit this vulnerability to have unspecified effect. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | http://packetstormsecurity.com/files/160411/FlexDotnetCMS-1.5.8-Arbitrary-ASP-File-Upload.html https://blog.vonahi.io/whats-in-a-re-name/ https://github.com/MacdonaldRobinson/FlexDotnetCMS/releases/tag/v1.5.9 https://github.com/rapid7/metasploit-framework/pull/14339 |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: https://github.com/MacdonaldRobinson/FlexDotnetCMS/releases/tag/v1.5.9 |