Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/Code)
 MOD Commander - directory restriction recommended		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

work mule
Senior Member

USA
1358 Posts
Posted - 15 March 2001 :  10:06:16  Show Profile
Something that has bothered me bout the MOD Commander is the readme.asp. It's a slick idea, but I think there's a minor modification that should be made to it.

Right now you could read outside of the mod directory.

The following example will get the gpl text file.
http://yourserver.com/forum/mods/readme.asp?readme=../gpl

Luckily, the only files it can read are .txt files because of this line:
rfile = request.querystring("readme") & ".txt"

But just in case, I'd recommend checking for the "/" character to restrict someone from trying to read outside of the mod directory, else restricting the readme.asp file to admin and moderator people.


 	If (InStr(rfile,"/")) Then 
   		response.write ("Access outside the mod directory is restricted.")
   	Else
   		Set rfile1 = CreateObject("Scripting.FileSystemObject")
		Set rfile2 = rfile1.OpenTextFile(server.mappath(rfile), 1, False)

		do while not rfile2.AtEndOfStream
			response.write HTMLEncode(rfile2.readline) & "<br>"
		loop

		rfile2.Close
		set rfile2=nothing
		set rfile1=nothing
	End If


Hopefully this will not incur a rash of people's gpl files being read by others.

Reinsnitz
Snitz Forums Admin

USA
3545 Posts
Posted - 15 March 2001 :  10:28:02  Show Profile  Visit Reinsnitz's Homepage  Send Reinsnitz an AOL message  Send Reinsnitz an ICQ Message  Send Reinsnitz a Yahoo! Message
hmmmm... MOD Commander will be part of the main code after Internationalization (v4.0)... and will be in the main forum folder... so maby a restriction on a file prefix and suffix will be good: mod_xxxx.txt

Reinsnitz (Mike)
><)))'> Need a Mod?
"Therefore go and make disciples of all nations,..." Matthew 28:19a
Go to Top of Page

animedj
Junior Member

USA
190 Posts
Posted - 15 March 2001 :  10:32:45  Show Profile  Visit animedj's Homepage  Send animedj an ICQ Message
I thought about that.. but then I was looking to showcode.asp... but even if it has a security check for not to read outside the directory.. there are still people that are able to read outside the directory.. so that's why I enforce it to just read .txt files as they are the less likely type of files that one wants to hack as they can be read directly from the browser...

---
Johann Reyes
http://animedj.com

Edited by - animedj on 15 March 2001 10:34:03
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts
Posted - 15 March 2001 :  16:22:47  Show Profile  Visit HuwR's Homepage
definately restrict the files allowed, and the directory, I did this for my dbsetup.asp, to only allow particular files, I also have a source code formatter which will only view sorce in a particular directory.

Will the restrictions here allow the mod commander to work ?
Go to Top of Page

work mule
Senior Member

USA
1358 Posts
Posted - 17 March 2001 :  18:58:01  Show Profile
When you think about what this can expose, think outside of just the forum. If you're familiar with Windows and standard installations, you could work your way outside of the forum folder and somewhere else.....

Something like this works:
readme.asp?readme=../../../downloads/mods/bookmark

I would also suggest that you include the inc_top file or some code that checks for admin rights.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.11 seconds. Powered By: Snitz Forums 2000 Version 3.4.07