<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Footy Tipping Software Whitelisting Bypass

Posted by Michael Merlino - 18 November, 2019


Footy Tipping Software Whitelisting Bypass


Release date: 24/10/2019


Last update: 24/10/2019


Vendor: Footy Tipping Software


Vendor site: https://www.footy.com.au/


Product: AFL Web Edition


Affected version(s): 2019


Remediated version: Vendor has not released a patch.


Severity Rating: Medium


Impact: Exposure of sensitive information and Client-side code execution.


Attack vector: Whitelisting bypass with remote code executions.


CVE: CVE-2019-17058


Details: The web application accepts file uploads but uses filename checks to restrict the file to images and Hypertext Markup Language (HTML). It also accepts upload.dat files, which allows for modifying and updates to the web application. This allows for potentially malicious files to be uploaded to the site.

By using upload.dat functionality, an attacker can use the upload function to create an arbitrary file with any extension, it may be possible to execute that code on the web server and result in its compromise.


The below screenshots show the file “/Scripts/tipping/data/web.aspx” being successfully uploaded to the server.

Due to the default configuration of the web application, it’s possible to access the uploaded file and use the uploaded file to achieve remote code execution.


Recommendation: Vendor has not released a patch.


Discovered by: Michael Merlino from Content Security Pty. Ltd.



Recent Posts

Security Advisory: Footy Tipping Software Whitelisting Bypass

read more

Security Advisory: Footy Tipping Software Cross-site Scripting

read more

Three Types of Security Threats and How to Guard Against Them

read more