Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
 All Forums
 Community Forums
 Code Support: ASP (Non-Forum Related)
 Hacked by a .gif

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:
UserName:
Password:
Format Mode:
Format: BoldItalicizedUnderlineStrikethrough Align LeftCenteredAlign Right Horizontal Rule Insert HyperlinkInsert EmailInsert Image Insert CodeInsert QuoteInsert List
   
Message:

* HTML is OFF
* Forum Code is ON
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
   

T O P I C    R E V I E W
Panhandler Posted - 08 September 2011 : 10:52:11
I have a asp operated photo gallery that permitted .gif files to be uploaded (that's been changed!)
A hacker uploaded and used a file named zor.asp;.gif to get in.

Here's a text copy for anyone interested: link
Original file was named: zor.asp;.gif

13   L A T E S T    R E P L I E S    (Newest First)
ruirib Posted - 12 September 2011 : 16:34:27
Seems quite an old issue!
Doug G Posted - 12 September 2011 : 15:18:04
For some reading enjoyment: http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx
ruirib Posted - 12 September 2011 : 15:13:54
I did that, there is a forum I help with that uses some sort of photo gallery vulnerable to this as well, and removing the semicolon meant that the file was no longer executed. I did it with an asp file, sothe code was displayed instead, as if it was a text file.
HuwR Posted - 12 September 2011 : 14:26:48
would need to check what happens with say something like file.asp.gif no illegal characters in that. so a check for multiple . would probably also be a good idea
ruirib Posted - 12 September 2011 : 12:14:32
Didn't know about Apache.
I think the main concern is to avoid the execution of any script. For that purpose, restricting characters that can be used in filenames seems to work well.
HuwR Posted - 12 September 2011 : 12:06:31
this issue affects Apache as well, so is not just an IIS issue. and mimetypes can be spoofed so checking mimetype wouldn't help, the only way to ensure it is an image is to read the file header and check that.
ruirib Posted - 12 September 2011 : 11:44:12
The problem is not when you upload the file, as that brings no issues. However, if you try to view a file with a name of .asp;.gif, seems IIS uses just the part of the name until the semicolon and executes the file as an asp script. So I have to agree with Marcel when he says this must be an IIS issue.
AnonJr Posted - 12 September 2011 : 11:15:31
Random thought, but would checking the MIME type sent by the browser help?

The only issue I know of is that Chrome has a disappearing/reappearing bug where it will/won't send the MIME type information with the upload. It's an interesting mix of funny/sad to see the same bug report get opened and closed like that...
ruirib Posted - 12 September 2011 : 08:06:55
That depends on the mod that you are using. The versions I have seen with Mike's attachment mod, use a function IsValidString that won't allow file names with characters such as ";". I am not sure whether this was added by me, though.
MarcelG Posted - 12 September 2011 : 07:43:50
Crap...confirmed that this works: http://oxle.com/uploaded/18/9/hello.asp;.gif
Seems to be an IIS loophole...
All Snitz sites that allow people to upload even avatars are possibly vulnerable....ouch.

I fixed it by adding a line to the upload code (uploadengine.asp if I recall correctly).

where I first had only this:
		faname 			=  Replace(objUpload.Files.Item(0).FileName,vbNullChar,"")

I now have this:
		faname 			=  Replace(objUpload.Files.Item(0).FileName,vbNullChar,"")
		faname 			=  Replace(objUpload.Files.Item(0).FileName,";","")

If I now try to upload a file using the semicolon trick, I get a nice error.
MarcelG Posted - 12 September 2011 : 07:39:46
Is this a new one?! We already had the null-attack a while ago, which we fixed in the upload code....didn't we also take out the other possible attacks?
Classicmotorcycling Posted - 08 September 2011 : 13:45:06
Sometimes when you go to Google images and just click on those images, be it .jpg, .gif, .png and others they are not in actual fact images, but scripts that install stuff and then redirect you to this wonderful page that tells you that you have a virus installed and you need to purchase their software to remove it.

The point is that you need to know it is not restricted to .gif's and the only way to avoid it in the future is to disable uploads (or as Ruirib says).
ruirib Posted - 08 September 2011 : 11:19:00
Disabling gifs won't help it, as any other extensions are prone to the same problem. You will need to change the upload code to remove any ';' characters from the file name used to save the file.

Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.02 seconds. Powered By: Snitz Forums 2000 Version 3.4.07