CVE-2025-59744
📋 TL;DR
This path traversal vulnerability in AndSoft's e-TMS v25.03 allows attackers to access files within the web root directory by manipulating the 'docurl' parameter in '/lib/asp/DOCSAVEASASP.ASP'. Organizations using this specific version of AndSoft's e-TMS software are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive configuration files, user data, or application source code within the web root, potentially leading to credential theft, data exposure, or further exploitation.
Likely Case
Unauthorized access to files within the web directory, potentially exposing sensitive application files, configuration data, or user-uploaded content.
If Mitigated
Limited to accessing only non-sensitive files within the web root if proper file permissions and directory restrictions are implemented.
🎯 Exploit Status
The vulnerability appears to be in a specific ASP file with a direct parameter manipulation, suggesting straightforward exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
1. Check the vendor advisory for updates. 2. Apply any available patches from AndSoft. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
windowsImplement server-side validation to sanitize the 'docurl' parameter and block path traversal sequences.
Implement ASP code to validate and sanitize input parameters before processing.
Access Restriction
windowsRestrict access to the vulnerable ASP file using web server configuration or authentication.
Add authentication requirement or IP restrictions to '/lib/asp/DOCSAVEASASP.ASP' in IIS configuration.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block path traversal patterns in requests.
- Restrict file permissions within the web root to minimize potential damage from successful exploitation.
🔍 How to Verify
Check if Vulnerable:
Test the '/lib/asp/DOCSAVEASASP.ASP' endpoint with path traversal payloads in the 'docurl' parameter to see if files outside intended scope are accessible.Check Version:
Check the application version through the web interface or configuration files.Verify Fix Applied:
Retest the vulnerable endpoint with the same payloads to confirm access is properly restricted.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to '/lib/asp/DOCSAVEASASP.ASP' with suspicious 'docurl' parameter values containing '../' or similar traversal sequences.
Network Indicators:
- Unusual file access patterns from the web application server.
SIEM Query:
source="web_server" AND uri="/lib/asp/DOCSAVEASASP.ASP" AND (param="docurl" AND value="*../*")