Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/Code)
 Security issue & fix with Avatar Mod
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

muzishun
Senior Member

United States
1079 Posts

Posted - 03 July 2006 :  23:27:47  Show Profile  Visit muzishun's Homepage  Reply with Quote
I just read this on Packet Storm, and thought I'd pass it on.

Basically, the Avatar mod is suceptible to Null Byte attacks, which allow a user to upload files with names like "badfile.exe .jpg". The script recognizes that the last four characters are ".jpg", but the FileSystemObject stops reading the filename at the " ", writing "badfile.exe" to the disk. Here's what I came up with as a quick fix. I'm sure it is by no means the best way to do it, but it'll get the job done.

Add the code in red to avatar_upload.asp (appx line 130):

Dim arrAllowedTypes : arrAllowedTypes = Array(".jpg",".jpeg",".gif",".png")
Dim arrNonAllowedTypes : arrNonAllowedTypes = Array(".exe",".php",".asp",".pl",".cgi")
Dim strExtension : strExtension = LCase(Mid(FileName,InStrRev(FileName,".")))
Dim intForCounter
Dim objFSO : Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Dim blnAllow : blnAllow = False
Dim objSaveME
WasSuccess = False

for intForCounter = 0 to Ubound(arrNonAllowedTypes)
	if InStr(FileName,arrNonAllowedTypes(intForCounter)) > 0 then
		UploadMessage = "Failed - This file may contain malicious code. Please check the filename and remove any extensions other than those allowed (i.e. - exe, php, asp, etc)'
		Exit Sub
	end if
next

If len(strPath) = 0 Or Len(FileName) = 0 Then
	UploadMessage = "Failed - This file could not be uploaded."
	Exit Sub
end if

Add other file types as needed/desired.<

Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com)

Edited by - muzishun on 03 July 2006 23:29:05

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 03 July 2006 :  23:50:30  Show Profile  Send ruirib a Yahoo! Message  Reply with Quote
This had been found and a fix posted some time ago: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=61919<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

muzishun
Senior Member

United States
1079 Posts

Posted - 04 July 2006 :  01:26:43  Show Profile  Visit muzishun's Homepage  Reply with Quote
Wow... thought I'd searched for it. My apologies. I saw that the posting on the security site was in May, and a quick search didn't turn it up here, so I thought it was still unknown.

I'll try to search a little better next time.<

Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com)
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.14 seconds. Powered By: Snitz Forums 2000 Version 3.4.07