Share
## https://sploitus.com/exploit?id=PACKETSTORM:182666
Hej,  
  
  
Let's keep it short ...  
  
  
=====  
  
Intro  
  
=====  
  
A "sudo make me a sandwich" security issue has been identified in the TX  
Text  
  
Control .NET Server for ASP.NET[1].  
  
According to the vendor[2], "the most powerful, MS Word compatible document  
  
editor that runs in all browsers".  
  
Likely all versions are affected however, it was not confirmed.  
  
  
=====  
  
Issue  
  
=====  
  
It was possible to change the configured system path for reading and writing  
  
files in the underlying operating system with privileges of the user  
running a  
  
web application. This could be achieved by calling the setfiledirectory()  
  
function exposed via JavaScript API[3].  
  
  
===  
  
PoC  
  
===  
  
-- cut --  
  
TXTextControl.setFileDirectory(0, "c:\\")  
  
-- cut --  
  
  
See also the attached image file for details.  
  
  
===========  
  
Remediation  
  
===========  
  
Contact the vendor[4] directly for remediation guidance.  
  
  
========  
  
Timeline  
  
========  
  
14.10.2024: Security contact requested from sales.department@textcontrol.com  
.  
  
31.10.2024: CVE requested from MITRE.  
  
......2024: Nobody cares.  
  
12.11.2024: The advisory has been released.  
  
  
==========  
  
References  
  
==========  
  
[1]  
https://www.textcontrol.com/products/asp-dotnet/tx-text-control-dotnet-server/overview/  
  
[2] https://www.textcontrol.com  
  
[3]  
https://docs.textcontrol.com/textcontrol/asp-dotnet/ref.javascript.txtextcontrol.setfiledirectory.method.htm  
  
[4] https://www.textcontrol.com/contact/email/general/  
  
  
  
Cheers,  
  
Filip Palian