The Forum has been Updated
The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.
I have a asp operated photo gallery that permitted .gif files to be uploaded (that's been changed!)
A hacker uploaded and used a file named zor.asp;.gif to get in.
Here's a text copy for anyone interested: link Original file was named: zor.asp;.gif
A hacker uploaded and used a file named zor.asp;.gif to get in.
Here's a text copy for anyone interested: link Original file was named: zor.asp;.gif
Posted
Disabling gifs won't help it, as any other extensions are prone to the same problem. You will need to change the upload code to remove any ';' characters from the file name used to save the file.
Posted
Sometimes when you go to Google images and just click on those images, be it .jpg, .gif, .png and others they are not in actual fact images, but scripts that install stuff and then redirect you to this wonderful page that tells you that you have a virus installed and you need to purchase their software to remove it.
The point is that you need to know it is not restricted to .gif's and the only way to avoid it in the future is to disable uploads (or as Ruirib says).
The point is that you need to know it is not restricted to .gif's and the only way to avoid it in the future is to disable uploads (or as Ruirib says).
Posted
Is this a new one?! We already had the null-attack a while ago, which we fixed in the upload code....didn't we also take out the other possible attacks?
Posted
Crap...confirmed that this works: http://oxle.com/uploaded/18/9/hello.asp;.gif
Seems to be an IIS loophole... All Snitz sites that allow people to upload even avatars are possibly vulnerable....ouch.
I fixed it by adding a line to the upload code (uploadengine.asp if I recall correctly).
where I first had only this:
I now have this:
If I now try to upload a file using the semicolon trick, I get a nice error.
Seems to be an IIS loophole... All Snitz sites that allow people to upload even avatars are possibly vulnerable....ouch.
I fixed it by adding a line to the upload code (uploadengine.asp if I recall correctly).
where I first had only this:
Code:
faname = Replace(objUpload.Files.Item(0).FileName,vbNullChar,"")Code:
faname = Replace(objUpload.Files.Item(0).FileName,vbNullChar,"")
faname = Replace(objUpload.Files.Item(0).FileName,";","")
Posted
That depends on the mod that you are using. The versions I have seen with Mike's attachment mod, use a function IsValidString that won't allow file names with characters such as ";". I am not sure whether this was added by me, though.
