| T O P I C R E V I E W |
| Panhandler |
Posted - 08 September 2011 : 10:52:11
I have a asp operated photo gallery that permitted .gif files to be uploaded (that's been changed!)
A hacker uploaded and used a file named zor.asp;.gif to get in.
Here's a text copy for anyone interested: link
Original file was named: zor.asp;.gif
|
| 13 L A T E S T R E P L I E S (Newest First) |
| ruirib |
Posted - 12 September 2011 : 16:34:27
Seems quite an old issue! |
| Doug G |
Posted - 12 September 2011 : 15:18:04
For some reading enjoyment: http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx
|
| ruirib |
Posted - 12 September 2011 : 15:13:54
I did that, there is a forum I help with that uses some sort of photo gallery vulnerable to this as well, and removing the semicolon meant that the file was no longer executed. I did it with an asp file, sothe code was displayed instead, as if it was a text file. |
| HuwR |
Posted - 12 September 2011 : 14:26:48
would need to check what happens with say something like file.asp.gif no illegal characters in that. so a check for multiple . would probably also be a good idea |
| ruirib |
Posted - 12 September 2011 : 12:14:32
Didn't know about Apache.
I think the main concern is to avoid the execution of any script. For that purpose, restricting characters that can be used in filenames seems to work well. |
| HuwR |
Posted - 12 September 2011 : 12:06:31
this issue affects Apache as well, so is not just an IIS issue. and mimetypes can be spoofed so checking mimetype wouldn't help, the only way to ensure it is an image is to read the file header and check that. |
| ruirib |
Posted - 12 September 2011 : 11:44:12
The problem is not when you upload the file, as that brings no issues. However, if you try to view a file with a name of .asp;.gif, seems IIS uses just the part of the name until the semicolon and executes the file as an asp script. So I have to agree with Marcel when he says this must be an IIS issue. |
| AnonJr |
Posted - 12 September 2011 : 11:15:31
Random thought, but would checking the MIME type sent by the browser help?
The only issue I know of is that Chrome has a disappearing/reappearing bug where it will/won't send the MIME type information with the upload. It's an interesting mix of funny/sad to see the same bug report get opened and closed like that... |
| ruirib |
Posted - 12 September 2011 : 08:06:55
That depends on the mod that you are using. The versions I have seen with Mike's attachment mod, use a function IsValidString that won't allow file names with characters such as ";". I am not sure whether this was added by me, though. |
| MarcelG |
Posted - 12 September 2011 : 07:43:50
Crap...confirmed that this works: http://oxle.com/uploaded/18/9/hello.asp;.gif
Seems to be an IIS loophole...
All Snitz sites that allow people to upload even avatars are possibly vulnerable....ouch.
I fixed it by adding a line to the upload code (uploadengine.asp if I recall correctly).
where I first had only this:
faname = Replace(objUpload.Files.Item(0).FileName,vbNullChar,"")
I now have this:
faname = Replace(objUpload.Files.Item(0).FileName,vbNullChar,"")
faname = Replace(objUpload.Files.Item(0).FileName,";","")
If I now try to upload a file using the semicolon trick, I get a nice error.
|
| MarcelG |
Posted - 12 September 2011 : 07:39:46
Is this a new one?! We already had the null-attack a while ago, which we fixed in the upload code....didn't we also take out the other possible attacks? |
| Classicmotorcycling |
Posted - 08 September 2011 : 13:45:06
Sometimes when you go to Google images and just click on those images, be it .jpg, .gif, .png and others they are not in actual fact images, but scripts that install stuff and then redirect you to this wonderful page that tells you that you have a virus installed and you need to purchase their software to remove it.
The point is that you need to know it is not restricted to .gif's and the only way to avoid it in the future is to disable uploads (or as Ruirib says).
|
| ruirib |
Posted - 08 September 2011 : 11:19:00
Disabling gifs won't help it, as any other extensions are prone to the same problem. You will need to change the upload code to remove any ';' characters from the file name used to save the file. |
