<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Footy Tipping Software Whitelisting Bypass

Posted by Michael Merlino - 18 November, 2019

header-picture

Footy Tipping Software Whitelisting Bypass

 

Release date: 24/10/2019

 

Last update: 24/10/2019

 

Vendor: Footy Tipping Software

 

Vendor site: https://www.footy.com.au/

 

Product: AFL Web Edition

 

Affected version(s): 2019

 

Remediated version: Vendor has not released a patch.

 

Severity Rating: Medium

 

Impact: Exposure of sensitive information and Client-side code execution.

 

Attack vector: Whitelisting bypass with remote code executions.

 

CVE: CVE-2019-17058

 

Details: The web application accepts file uploads but uses filename checks to restrict the file to images and Hypertext Markup Language (HTML). It also accepts upload.dat files, which allows for modifying and updates to the web application. This allows for potentially malicious files to be uploaded to the site.

By using upload.dat functionality, an attacker can use the upload function to create an arbitrary file with any extension, it may be possible to execute that code on the web server and result in its compromise.

 

The below screenshots show the file “/Scripts/tipping/data/web.aspx” being successfully uploaded to the server.

Due to the default configuration of the web application, it’s possible to access the uploaded file and use the uploaded file to achieve remote code execution.

 

Recommendation: Vendor has not released a patch.

 

Discovered by: Michael Merlino from Content Security Pty. Ltd.

 

 


Recent Posts

Security Advisory: Footy Tipping Software Whitelisting Bypass

read more

Security Advisory: Footy Tipping Software Cross-site Scripting

read more

Three Types of Security Threats and How to Guard Against Them

read more