Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/Code)
 Security issue & fix with Avatar Mod

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:
UserName:
Password:
Format Mode:
Format: BoldItalicizedUnderlineStrikethrough Align LeftCenteredAlign Right Horizontal Rule Insert HyperlinkInsert EmailInsert Image Insert CodeInsert QuoteInsert List
   
Message:

* HTML is OFF
* Forum Code is ON
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
Check here to subscribe to this topic.
   

T O P I C    R E V I E W
muzishun Posted - 03 July 2006 : 23:27:47
I just read this on Packet Storm, and thought I'd pass it on.

Basically, the Avatar mod is suceptible to Null Byte attacks, which allow a user to upload files with names like "badfile.exe .jpg". The script recognizes that the last four characters are ".jpg", but the FileSystemObject stops reading the filename at the " ", writing "badfile.exe" to the disk. Here's what I came up with as a quick fix. I'm sure it is by no means the best way to do it, but it'll get the job done.

Add the code in red to avatar_upload.asp (appx line 130):

Dim arrAllowedTypes : arrAllowedTypes = Array(".jpg",".jpeg",".gif",".png")
Dim arrNonAllowedTypes : arrNonAllowedTypes = Array(".exe",".php",".asp",".pl",".cgi")
Dim strExtension : strExtension = LCase(Mid(FileName,InStrRev(FileName,".")))
Dim intForCounter
Dim objFSO : Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Dim blnAllow : blnAllow = False
Dim objSaveME
WasSuccess = False

for intForCounter = 0 to Ubound(arrNonAllowedTypes)
	if InStr(FileName,arrNonAllowedTypes(intForCounter)) > 0 then
		UploadMessage = "Failed - This file may contain malicious code. Please check the filename and remove any extensions other than those allowed (i.e. - exe, php, asp, etc)'
		Exit Sub
	end if
next

If len(strPath) = 0 Or Len(FileName) = 0 Then
	UploadMessage = "Failed - This file could not be uploaded."
	Exit Sub
end if

Add other file types as needed/desired.<
2   L A T E S T    R E P L I E S    (Newest First)
muzishun Posted - 04 July 2006 : 01:26:43
Wow... thought I'd searched for it. My apologies. I saw that the posting on the security site was in May, and a quick search didn't turn it up here, so I thought it was still unknown.

I'll try to search a little better next time.<
ruirib Posted - 03 July 2006 : 23:50:30
This had been found and a fix posted some time ago: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=61919<

Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.04 seconds. Powered By: Snitz Forums 2000 Version 3.4.07