BlogEngine.NET api/BlogImporter.asmx GetFile Function Unauthorized Access

This script is Copyright (C) 2011 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a script that can be abused to copy
files.

Description :

The web server hosts BlogEngine.NET, an open source .NET blogging
project.

An install of the software on the remote host allows unauthenticated
access to the 'GetFile' function of the 'api/BlogImporter.asmx'
script. An unauthenticated, remote attacker may be able to abuse this
function to copy files on the affected host, possibly originating from
third-party hosts and possibly to directories outside the
application's 'App_Data\files' directory.

Successful exploitation may result in disclosure of sensitive
information, allow for execution of arbitrary code, fill up disk
space, or even facilitate attacks against third-party hosts.

Note that Nessus has only verified that the affected function and
script are accessible without authentication although it's possible
that the code has been changed to prevent abuse without changing how
it responds to the requests that Nessus uses.

See also :

http://www.nessus.org/u?99091411

Solution :

Upgrade to BlogEngine.Net 2.0 or remove the affected script.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 51564 ()

Bugtraq ID: 45681

CVE ID: