mojoPortal Directory Traversal Vulnerability Leading to Unauthenticated Remote Code Execution

A directory traversal vulnerability has been identified in mojoPortal versions through 2.9.0.1. This vulnerability allows an unauthenticated attacker to access sensitive files within the web root directory, such as the Web.Config file, which contains the machineKey used to validate and decrypt ViewState data. Exploiting this vulnerability could lead to remote code execution on the server.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, with the executed code running in the context of the IIS worker process.

Reproduction

The vulnerability can be reproduced by sending a GET request to the BetterImageGallery API Controller's ImageHandler action, including a path parameter that traverses directories to access the Web.Config file. After obtaining the Web.Config file and extracting the machineKey, a POST request can be sent to the PayPalIPNHandler.aspx endpoint with a crafted ViewState payload that exploits the deserialization vulnerability, leading to remote code execution.

Remediation

The vulnerability has been addressed in version 2.9.1.0, but users should verify the update has been applied.