I just read this on Packet Storm, and thought I'd pass it on.
Basically, the Avatar mod is suceptible to Null Byte attacks, which allow a user to upload files with names like "badfile.exe .jpg". The script recognizes that the last four characters are ".jpg", but the FileSystemObject stops reading the filename at the " ", writing "badfile.exe" to the disk. Here's what I came up with as a quick fix. I'm sure it is by no means the best way to do it, but it'll get the job done.
Add the code in red to avatar_upload.asp (appx line 130):
Dim arrAllowedTypes : arrAllowedTypes = Array(".jpg",".jpeg",".gif",".png")
Dim arrNonAllowedTypes : arrNonAllowedTypes = Array(".exe",".php",".asp",".pl",".cgi")
Dim strExtension : strExtension = LCase(Mid(FileName,InStrRev(FileName,".")))
Dim intForCounter
Dim objFSO : Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Dim blnAllow : blnAllow = False
Dim objSaveME
WasSuccess = False
for intForCounter = 0 to Ubound(arrNonAllowedTypes)
if InStr(FileName,arrNonAllowedTypes(intForCounter)) > 0 then
UploadMessage = "Failed - This file may contain malicious code. Please check the filename and remove any extensions other than those allowed (i.e. - exe, php, asp, etc)'
Exit Sub
end if
next
If len(strPath) = 0 Or Len(FileName) = 0 Then
UploadMessage = "Failed - This file could not be uploaded."
Exit Sub
end if
Add other file types as needed/desired.<
Security issue & fix with Avatar Mod
Posted - 03 July 2006 : 23:27:47
