Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
 All Forums
 Announcements
 Announcements: Community
 Security Issue: Uploading files (inc Avatars)

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:
UserName:
Password:
Format Mode:
Format: BoldItalicizedUnderlineStrikethrough Align LeftCenteredAlign Right Horizontal Rule Insert HyperlinkInsert EmailInsert Image Insert CodeInsert QuoteInsert List
   
Message:

* HTML is OFF
* Forum Code is ON
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
   

T O P I C    R E V I E W
HuwR Posted - 19 May 2006 : 06:59:28
The following security issue has been discovered.

http://secunia.com/advisories/20148/
more : http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046115.html

This advisory relates to the Avatar upload mod, for which there is a fix below, however this problem is likely to affect any mods that allow file uploads using asp script, so they will also need to be checked and fixed.

To fix the issue and prevent any security problems you basically need to remove the null bytes from the filename, this can be done by simply replaceing the null bytes using the replace function as follows newfilename = Replace(FileName,vbNullChar,"") as an example I have included the fix required for the avatar mod below.


Avatar Mod nullbyte Fix

in the avatar_upload.asp file, replace the GetFileName function with the one below

	Private Function GetFileName(infoStr)
		Dim sPos
		Dim EndPos
		Dim strTmp
		DIm tmpFilename
		Dim CrLf : CrLf = Chr(13) & Chr(10)
		
		sPos = InStr(infoStr, "filename=")
		EndPos = InStr(infoStr, Chr(34) & CrLf)
		strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
		tmpFilename = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
		GetFileName = Replace(tmpFilename,vbNullChar,"")
	End Function
<
5   L A T E S T    R E P L I E S    (Newest First)
Shaggy Posted - 30 January 2009 : 09:23:26
For those keeping an eye on this topic, the same issue has been discovered in Zuel's Avatar Add-on available [url="http://www.snitzbitz.com/mods/details.asp?Version=All&mid=52]here[/url].

To fix it, find the following beginning on line 60 of clsAvatar.asp add the new line highlighted in green:
Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
Dim CrLf : CrLf = Chr(13) & Chr(10)
	sPos = InStr(infoStr, "filename=")
	EndPos = InStr(infoStr, Chr(34) & CrLf)
	strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
	GetFileName = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
	GetFileName = Replace(GetFileName,vbNullChar,"")
End Function
<
HuwR Posted - 19 May 2006 : 08:25:20
please try not to clutter up the thread with messages of thanks, otherwise the solutions to other upload problems will get lost in the thread<
HuwR Posted - 19 May 2006 : 08:23:42
Thanks for that one Shaggy.



as a side note to this problem, directories where files are uploaded to on your server should NOT have permissions to execute scripts, that way the problem would not exist in the first place, so it is really a server security issue as well as a code security issue.<
Shaggy Posted - 19 May 2006 : 08:11:29
For Mike's File Attachment Mod find the following on line 20 of outputFile.asp:
filepathname = UploadRequest.Item("blob").Item("FileName")
And replace it with the following:
filepathname = replace(UploadRequest.Item("blob").Item("FileName"),vbNullChar,"")
<
Bassman Posted - 19 May 2006 : 07:14:15
Good catch, thanks for the update HuwR<

Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.08 seconds. Powered By: Snitz Forums 2000 Version 3.4.07