Check Box 2016 Q2 Survey Directory Traversal / Open Redirection

Check Box 2016 Q2 Survey suffers from insecure direct object reference, open redirection, and directory traversal vulnerabilities.

MD5 | 82b10bf9cecb8a8d1df5f6e30c946569

# Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db :
# Youtube :
# Date: Jan 17, 2017
# Vendor Homepage:
# Software Link:
# Version: Check Box 2016 Q2,Check Box 2016 Q4 - Fixed in Checkbox Survey,
Inc. v6.7
# Tested on: Check Box 2016 Q2 Trial on windows Server 2012.
# Description : Checkbox is a survey application deployed by a number of
highly profiled companies and government entities like Microsoft, AT&T,
Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret
Service, U.S. Necular Regulatory Comission, UNAIDS, State Of California
and more!!

For a full list of their clients please visit:

1- Directory traversal vulnerability : For example to download the
web.config file we can send a request as the following:\..\web.config&n=web.config

2- Direct Object Reference :
attachments to surveys can be accessed directly without login as the
I created a script that can bruteforce the numbers to find ID's that will
download the attachment and you can easily write one on your own ;).

3- Open redirection in login page for example:

If you can't see why an open redirection is a problem in login page please
visit the following page:

December 2016 - Discovered the vulnerability during Pen. Test conducted by
ZINAD IT for one of our clients.
Jan 12,2017 - Reported to vendor.
Jan 15,2017 - Sent a kind reminder to the vendor.
Jan 16,2017 - First Vendor Response said they will only consider directory
traversal as a vulnerability and that a fix will be sent in the next day.
Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem.
Jan 17,2017 - Patch Release Fixed the Directory Traversal.
Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont
be fixed.
Jan 17,2017 - Open redirection confirmed to be fixed in the same patch
released before for DOR the vendor said they didn't believe that's a
security concern and that they have added a warning to let users know that
their attachments will be available to anyone with access to that survey page !!

Related Posts