[R2] HP Loadrunner / HP Performance Center Virtual Table Server (VTS) \web\admin\data.js Remote File Deletion

During the development of a detection plugin for a previous HP VTS vulnerability, one of our engineers discovered an additional issue that allows an unauthenticated attacker to delete arbitrary files on the VTS server. This was tested on Performance Center Virtual Table Server, a component of LoadRunner VTS 12.50 running on a 32-bit Windows 2008 Server host. The vulnerability was found in [HP_VTS_INSTALL_DIR]\web\admin\data.js, which is a dispatcher to handle an HTTP request. The 'f' variable is intended to hold parameters passed in the URL query string (f = querystring.parse(a)) or the POST body (f = c.body). When the user uploads a file with a POST request to url /data/import_csv and body containing "Content-Disposition: form-data; name=fileToUpload", the "path" parameter (f.path) is set to [HP_VTS_INSTALL_DIR]\web\admin\Web\file\(some_randomly_generated_file_name). This is the location where the uploaded file is put into. When VTS finishes processing the file specified in f.path, it tries to delete it.