Gladinet CentreStack and TrioFox Unauthenticated Local File Inclusion Vulnerability

A local file inclusion vulnerability allowing unauthenticated access to system files has been identified in Gladinet CentreStack and TrioFox. This issue affects all versions prior to and including 16.7.10368.56560. The vulnerability arises from the default installation and configuration of these products, which inadvertently permit the inclusion of local files. Exploitation of this flaw has been observed in the wild, with attackers retrieving sensitive information such as the machine key from the Web.config file, potentially leading to remote code execution.

Impact

Successful exploitation allows for unauthorized access to system files, with the potential to retrieve sensitive information such as the machine key, which can be used for remote code execution in conjunction with other vulnerabilities.

Remediation

To mitigate this vulnerability, it is recommended to disable the temp handler in the Web.config file for the UploadDownloadProxy component. This can be done by removing a specific line that points to the temp handler, which will prevent the vulnerability from being exploited until a patch is available.