| Author |
 Topic  |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
 Posted - 19 May 2006 : 06:59:28
|
The following security issue has been discovered.
http://secunia.com/advisories/20148/
more : http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046115.html
This advisory relates to the Avatar upload mod, for which there is a fix below, however this problem is likely to affect any mods that allow file uploads using asp script, so they will also need to be checked and fixed.
To fix the issue and prevent any security problems you basically need to remove the null bytes from the filename, this can be done by simply replaceing the null bytes using the replace function as follows newfilename = Replace(FileName,vbNullChar,"") as an example I have included the fix required for the avatar mod below.
Avatar Mod nullbyte Fix
in the avatar_upload.asp file, replace the GetFileName function with the one below
Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
DIm tmpFilename
Dim CrLf : CrLf = Chr(13) & Chr(10)
sPos = InStr(infoStr, "filename=")
EndPos = InStr(infoStr, Chr(34) & CrLf)
strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
tmpFilename = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
GetFileName = Replace(tmpFilename,vbNullChar,"")
End Function
< |
Edited by - HuwR on 19 May 2006 07:09:22 |
|
|
Bassman
Junior Member
Netherlands
256 Posts |
Posted - 19 May 2006 : 07:14:15
|
| Good catch, thanks for the update HuwR< |
 |
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 19 May 2006 : 08:11:29
|
For Mike's File Attachment Mod find the following on line 20 of outputFile.asp:filepathname = UploadRequest.Item("blob").Item("FileName")And replace it with the following:filepathname = replace(UploadRequest.Item("blob").Item("FileName"),vbNullChar,"")< |
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 19 May 2006 : 08:23:42
|
Thanks for that one Shaggy.
as a side note to this problem, directories where files are uploaded to on your server should NOT have permissions to execute scripts, that way the problem would not exist in the first place, so it is really a server security issue as well as a code security issue.< |
Edited by - HuwR on 19 May 2006 08:24:16 |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 19 May 2006 : 08:25:20
|
| please try not to clutter up the thread with messages of thanks, otherwise the solutions to other upload problems will get lost in the thread< |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 30 January 2009 : 09:23:26
|
For those keeping an eye on this topic, the same issue has been discovered in Zuel's Avatar Add-on available [url="http://www.snitzbitz.com/mods/details.asp?Version=All&mid=52]here[/url].
To fix it, find the following beginning on line 60 of clsAvatar.asp add the new line highlighted in green:Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
Dim CrLf : CrLf = Chr(13) & Chr(10)
sPos = InStr(infoStr, "filename=")
EndPos = InStr(infoStr, Chr(34) & CrLf)
strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
GetFileName = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
GetFileName = Replace(GetFileName,vbNullChar,"")
End Function < |
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
| |
Topic |
|
|
|
Security Issue: Uploading files (inc Avatars)
