Footy Tipping Software Whitelisting Bypass
Release date: 24/10/2019
Last update: 24/10/2019
Vendor: Footy Tipping Software
Vendor site: https://www.footy.com.au/
Product: AFL Web Edition
Affected version(s): 2019
Remediated version: Vendor has not released a patch.
Severity Rating: Medium
Impact: Exposure of sensitive information and Client-side code execution.
Attack vector: Whitelisting bypass with remote code executions.
CVE: CVE-2019-17058
Details: The web application accepts file uploads but uses filename checks to restrict the file to images and Hypertext Markup Language (HTML). It also accepts upload.dat files, which allows for modifying and updates to the web application. This allows for potentially malicious files to be uploaded to the site.
By using upload.dat functionality, an attacker can use the upload function to create an arbitrary file with any extension, it may be possible to execute that code on the web server and result in its compromise.
The below screenshots show the file “/Scripts/tipping/data/web.aspx” being successfully uploaded to the server.
Due to the default configuration of the web application, it’s possible to access the uploaded file and use the uploaded file to achieve remote code execution.
Recommendation: Vendor has not released a patch.
Discovered by: Michael Merlino from Content Security Pty. Ltd.