| Author |
 Topic  |
|
|
phoenixtaz13
Junior Member
129 Posts |
 Posted - 29 January 2009 : 04:57:45
|
is there a fix for this already?....
i tried using the code below, and it doesnt work, im still able to upload test.asp[null byte].jpg
need advice pls.... ty...
quote:
The following security issue has been discovered.
http://secunia.com/advisories/20148/
more : http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046115.html
This advisory relates to the Avatar upload mod, for which there is a fix below, however this problem is likely to affect any mods that allow file uploads using asp script, so they will also need to be checked and fixed.
To fix the issue and prevent any security problems you basically need to remove the null bytes from the filename, this can be done by simply replaceing the null bytes using the replace function as follows newfilename = Replace(FileName,vbNullChar,"") as an example I have included the fix required for the avatar mod below.
Avatar Mod nullbyte Fix
in the avatar_upload.asp file, replace the GetFileName function with the one below
Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
DIm tmpFilename
Dim CrLf : CrLf = Chr(13) & Chr(10)
sPos = InStr(infoStr, "filename=")
EndPos = InStr(infoStr, Chr(34) & CrLf)
strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
tmpFilename = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
GetFileName = Replace(tmpFilename,vbNullChar,"")
End Function
< |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 29 January 2009 : 07:19:29
|
| well, since you are indeed the first person to say that the fix doesn't work, either you are the only person who has tried it, or there is something else wrong or different with your setup< |
 |
|
|
phoenixtaz13
Junior Member
129 Posts |
Posted - 29 January 2009 : 11:51:02
|
hello, good day to you....
thanks for ur time.... i appreciate it very much... :)
im currently hosting the forum at home, and using the latest version of snitz, running winxp pro, iis 5.1 with no-ip.com
i dont know what to do?... should i email you the avatar_upload.asp file?...
i first installed the avatar mod 3.4 by Richard Kinser, adapted by Hamlin, and then installed the zuel's avatar add-on by Daniel M. Dority
i tried the replacement code, and i still can upload testfile.asp[null byte].jpg, am missing on something?....
hope to hear from you soon.... ty... :)
< |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 29 January 2009 : 12:02:22
|
Does Zuel's add-on include any sort of upload facility? The bug may be there rather than in Richard's/Hamlin's original.
< |
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
phoenixtaz13
Junior Member
129 Posts |
Posted - 29 January 2009 : 15:02:16
|
here are the list of files to be installed:
clsAvatar.asp
frmAvatarAdmin.asp
frmAvatarMain.asp
incAvatarAdminData.asp
incAvatarData.asp
incAvatarFunction.asp
sorry im not a programmer expert, i could be wrong, it seems to me that it relies on Richard's/Hamlin's avatar_upload.asp...
btw, thanks for ur time... :)
< |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 30 January 2009 : 05:23:04
|
Find the following on line 60 of clsAvatar.asp and add the line in green:Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
Dim CrLf : CrLf = Chr(13) & Chr(10)
sPos = InStr(infoStr, "filename=")
EndPos = InStr(infoStr, Chr(34) & CrLf)
strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
GetFileName = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
GetFileName = Replace(GetFileName,vbNullChar,"")
End Function < |
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
phoenixtaz13
Junior Member
129 Posts |
Posted - 30 January 2009 : 08:10:08
|
heres my avatar_upload.asp line 47
Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
DIm tmpFilename
Dim CrLf : CrLf = Chr(13) & Chr(10)
sPos = InStr(infoStr, "filename=")
EndPos = InStr(infoStr, Chr(34) & CrLf)
strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
tmpFilename = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
GetFileName = Replace(tmpFilename,vbNullChar,"")
End Function
and my clsAvatar.asp Line 60
Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
Dim CrLf : CrLf = Chr(13) & Chr(10)
sPos = InStr(infoStr, "filename=")
EndPos = InStr(infoStr, Chr(34) & CrLf)
strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
GetFileName = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
GetFileName = Replace(GetFileName,vbNullChar,"")
End Function
im still able to upload test.asp[null byte].jpg :(
< |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 30 January 2009 : 08:39:42
|
| well, I have tested the code on 3 different servers and the nullchar fix works fine, the file test.asp[nullchar].jpg gets uploaded as test.asp.jpg which is correct, without the nullchar fix it would get uploaded as test.asp which is obviously not what we want< |
|
|
|
phoenixtaz13
Junior Member
129 Posts |
Posted - 30 January 2009 : 10:02:49
|
doink!!! oh i see!... my bad...
i thought it would stop the upload or make a fail upload.... in my folder i see the file as test.asp[null byte].jpg.... since it like that, so it seems that everything is okay.... :)
thanks for ur time.... really appreciate it.... :)
btw, one last thing, can u direct me to where i can find a topic on How to reposition the links( Home | profile | Register | Active topics |) of the frontpage, like position it at the center and the username and pass to the right....
thanks again... :)
< |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 30 January 2009 : 11:48:40
|
it should not upload the nullbyte, it shout strip it out of the name.
by the way, how are you seeing the 'null byte' as they are actually invisible so you should either see the file uploade as test.asp or test.asp.jpg, which do you get ?< |
|
|
|
phoenixtaz13
Junior Member
129 Posts |
Posted - 30 January 2009 : 12:39:04
|
quote:
Originally posted by HuwR
it should not upload the nullbyte, it shout strip it out of the name.
by the way, how are you seeing the 'null byte' as they are actually invisible so you should either see the file uploade as test.asp or test.asp.jpg, which do you get ?
oh i see.... im still able to upload test.asp[null byte].jpg
Heres what i did, i click the UPLOAD PERSONAL AVATAR, click the BROWSE button, sellect the file test.asp, in the AVATAR LOCATION TEXT BOX, i change the filename from test.asp to test.asp[null byte].jpg and then click SUBMIT.... and then "SUCCESS - AVATAR HAS BEEN UPLOADED"
even though i was able to upload it, i cant or dont see/view the uploaded file test.asp[null byte].jpg in the edit avatar....
in my folder, C:\webroot\forum\avatar\personal\ theres no change with the file name, it its still test.asp[null byte].jpg
how do i fix this?.... i did all the code modification given..... is there some files i need to show u?...
thanks for ur time.... :)
< |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 30 January 2009 : 13:11:13
|
How are you seeing the [Null Byte] Its not a visible character.... if you're seeing test.asp.jpg then its done its job. If you type in the URL to /forum/avatar/personal/test.asp it should turn up a 404 - if it doesn't give a 404 error than the code is indeed not working.< |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 30 January 2009 : 13:43:09
|
| you do realise that [null byte] represents a single byte character whose value is 0 and not the actual string '[null byte]' ?< |
|
|
|
phoenixtaz13
Junior Member
129 Posts |
Posted - 30 January 2009 : 21:51:46
|
correct me if im wrong, null byte injection is test.asp%00.jpg or test.asp0x00.jpg, right?... if im wrong, can u show me an example so i may do it correctly...
by manually looking at the the folder where the avatar is uploaded, i see the file as is as what i exampled above.... forgive me for my ignorance, im still in the process of learning things, to my understanding with the fix, it should not upload the example i gave above, right?...
again thanks for taking ur time with me.... :)
< |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 31 January 2009 : 02:53:14
|
you can't see a null byte, so how do you know the sved file has a null byte ? if it had one, the uploaded file will be called test.asp is that what the uploaded file is called ? if it isn't then the nullbyte fix has worked.
your understanding of the fix is wrong, it does not prevent the file from being uploaded, it just removes the nullbyte char from the file name thus forcing it to be saved as test.asp.jpg rather than test.asp which is what the nullbyte causes it to be saved as.< |
|
|
|
phoenixtaz13
Junior Member
129 Posts |
Posted - 01 February 2009 : 20:54:00
|
quote:
Originally posted by HuwR
you can't see a null byte, so how do you know the sved file has a null byte ? if it had one, the uploaded file will be called test.asp is that what the uploaded file is called ? if it isn't then the nullbyte fix has worked.
your understanding of the fix is wrong, it does not prevent the file from being uploaded, it just removes the nullbyte char from the file name thus forcing it to be saved as test.asp.jpg rather than test.asp which is what the nullbyte causes it to be saved as.
Doink!... oh i see.... got it now...
thanks... now i know... :)
< |
|
|
| |
Topic |
|
Topic Locked
