The Forum has been Updated
The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.
I just read this on Packet Storm, and thought I'd pass it on.
Basically, the Avatar mod is suceptible to Null Byte attacks, which allow a user to upload files with names like "badfile.exe .jpg". The script recognizes that the last four characters are ".jpg", but the FileSystemObject stops reading the filename at the " ", writing "badfile.exe" to the disk. Here's what I came up with as a quick fix. I'm sure it is by no means the best way to do it, but it'll get the job done.
Add the code in red to avatar_upload.asp (appx line 130):
Add other file types as needed/desired.<
Basically, the Avatar mod is suceptible to Null Byte attacks, which allow a user to upload files with names like "badfile.exe .jpg". The script recognizes that the last four characters are ".jpg", but the FileSystemObject stops reading the filename at the " ", writing "badfile.exe" to the disk. Here's what I came up with as a quick fix. I'm sure it is by no means the best way to do it, but it'll get the job done.
Add the code in red to avatar_upload.asp (appx line 130):
Code:
Dim arrAllowedTypes : arrAllowedTypes = Array(".jpg",".jpeg",".gif",".png")
Dim arrNonAllowedTypes : arrNonAllowedTypes = Array(".exe",".php",".asp",".pl",".cgi")
Dim strExtension : strExtension = LCase(Mid(FileName,InStrRev(FileName,".")))
Dim intForCounter
Dim objFSO : Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Dim blnAllow : blnAllow = False
Dim objSaveME
WasSuccess = False
for intForCounter = 0 to Ubound(arrNonAllowedTypes)
if InStr(FileName,arrNonAllowedTypes(intForCounter)) > 0 then
UploadMessage = "Failed - This file may contain malicious code. Please check the filename and remove any extensions other than those allowed (i.e. - exe, php, asp, etc)'
Exit Sub
end if
next
If len(strPath) = 0 Or Len(FileName) = 0 Then
UploadMessage = "Failed - This file could not be uploaded."
Exit Sub
end if
نوشته شده در
This had been found and a fix posted some time ago: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=61919<
نوشته شده در
Wow... thought I'd searched for it. My apologies. I saw that the posting on the security site was in May, and a quick search didn't turn it up here, so I thought it was still unknown.
I'll try to search a little better next time.<
I'll try to search a little better next time.<