| Author |
 Topic  |
|
|
Panhandler
Average Member
USA
783 Posts |
 Posted - 08 September 2011 : 10:52:11
|
I have a asp operated photo gallery that permitted .gif files to be uploaded (that's been changed!)
A hacker uploaded and used a file named zor.asp;.gif to get in.
Here's a text copy for anyone interested: link
Original file was named: zor.asp;.gif
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 08 September 2011 : 11:19:00
|
| Disabling gifs won't help it, as any other extensions are prone to the same problem. You will need to change the upload code to remove any ';' characters from the file name used to save the file. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
 |
|
|
Classicmotorcycling
Development Team Leader
Australia
2085 Posts |
Posted - 08 September 2011 : 13:45:06
|
Sometimes when you go to Google images and just click on those images, be it .jpg, .gif, .png and others they are not in actual fact images, but scripts that install stuff and then redirect you to this wonderful page that tells you that you have a virus installed and you need to purchase their software to remove it.
The point is that you need to know it is not restricted to .gif's and the only way to avoid it in the future is to disable uploads (or as Ruirib says).
|
Cheers,
David Greening |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 12 September 2011 : 07:39:46
|
| Is this a new one?! We already had the null-attack a while ago, which we fixed in the upload code....didn't we also take out the other possible attacks? |
portfolio - linkshrinker - oxle - twitter |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 12 September 2011 : 07:43:50
|
Crap...confirmed that this works: http://oxle.com/uploaded/18/9/hello.asp;.gif
Seems to be an IIS loophole...
All Snitz sites that allow people to upload even avatars are possibly vulnerable....ouch.
I fixed it by adding a line to the upload code (uploadengine.asp if I recall correctly).
where I first had only this:
faname = Replace(objUpload.Files.Item(0).FileName,vbNullChar,"")
I now have this:
faname = Replace(objUpload.Files.Item(0).FileName,vbNullChar,"")
faname = Replace(objUpload.Files.Item(0).FileName,";","")
If I now try to upload a file using the semicolon trick, I get a nice error.
|
portfolio - linkshrinker - oxle - twitter |
Edited by - MarcelG on 12 September 2011 07:58:47 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 12 September 2011 : 08:06:55
|
| That depends on the mod that you are using. The versions I have seen with Mike's attachment mod, use a function IsValidString that won't allow file names with characters such as ";". I am not sure whether this was added by me, though. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 12 September 2011 : 11:15:31
|
Random thought, but would checking the MIME type sent by the browser help?
The only issue I know of is that Chrome has a disappearing/reappearing bug where it will/won't send the MIME type information with the upload. It's an interesting mix of funny/sad to see the same bug report get opened and closed like that... |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 12 September 2011 : 11:44:12
|
| The problem is not when you upload the file, as that brings no issues. However, if you try to view a file with a name of .asp;.gif, seems IIS uses just the part of the name until the semicolon and executes the file as an asp script. So I have to agree with Marcel when he says this must be an IIS issue. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
HuwR
Forum Admin
United Kingdom
20593 Posts |
Posted - 12 September 2011 : 12:06:31
|
| this issue affects Apache as well, so is not just an IIS issue. and mimetypes can be spoofed so checking mimetype wouldn't help, the only way to ensure it is an image is to read the file header and check that. |
MVC .net dev/test site | MVC .net running on Raspberry Pi |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 12 September 2011 : 12:14:32
|
Didn't know about Apache.
I think the main concern is to avoid the execution of any script. For that purpose, restricting characters that can be used in filenames seems to work well. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
HuwR
Forum Admin
United Kingdom
20593 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 12 September 2011 : 15:13:54
|
| I did that, there is a forum I help with that uses some sort of photo gallery vulnerable to this as well, and removing the semicolon meant that the file was no longer executed. I did it with an asp file, sothe code was displayed instead, as if it was a text file. |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
| |
Topic |
|
Hacked by a .gif
