DevExpres has released Directory Traversal vulnerability patch for ASP.NET AJAX Control Toolkit. This vulnerability affects ASP.NET AJAX Control Toolkit versions prior to v15.1.x. Acording to official sources, the vulnerability existed prior to DevExpress taking over the ASP.NET AJAX Control Toolkit.
Brian Cardinale, Principal Application Security Consultant has informed the product team of the vulnerability in 2014.
There is a File Write Directory Traversal issue inside the AjaxControlToolkit “AjaxFileUpload” control. When uploading a file using this control, the framework should write the file to the environments “tmp”directory. The framework is not validating the “filei”” parameter from being modified. This parameter is later used in the creation of the path in the “temp” directory. This parameter can be modified to write to any location on the disk, as long as file system permissions allows. This exploit can lead to Remote Code Execution if an attacker is able to upload an .aspx file into the web directory.
If you are using ASP.NET AJAX Control Toolkit, you should update to v15.1.x. The installer can be downloaded from DevExpress.
As a developer, you can also make use of the ASP.NET AJAX Control Toolkit Nuget package.