The Forum has been Updated
The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.
The following security issue has been discovered.
http://secunia.com/advisories/20148/
more : http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046115.html
This advisory relates to the Avatar upload mod, for which there is a fix below, however this problem is likely to affect any mods that allow file uploads using asp script, so they will also need to be checked and fixed.
To fix the issue and prevent any security problems you basically need to remove the null bytes from the filename, this can be done by simply replaceing the null bytes using the replace function as follows newfilename = Replace(FileName,vbNullChar,"") as an example I have included the fix required for the avatar mod below.
Avatar Mod nullbyte Fix
in the avatar_upload.asp file, replace the GetFileName function with the one below
<
http://secunia.com/advisories/20148/
more : http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046115.html
This advisory relates to the Avatar upload mod, for which there is a fix below, however this problem is likely to affect any mods that allow file uploads using asp script, so they will also need to be checked and fixed.
To fix the issue and prevent any security problems you basically need to remove the null bytes from the filename, this can be done by simply replaceing the null bytes using the replace function as follows newfilename = Replace(FileName,vbNullChar,"") as an example I have included the fix required for the avatar mod below.
Avatar Mod nullbyte Fix
in the avatar_upload.asp file, replace the GetFileName function with the one below
Code:
Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
DIm tmpFilename
Dim CrLf : CrLf = Chr(13) & Chr(10)
sPos = InStr(infoStr, "filename=")
EndPos = InStr(infoStr, Chr(34) & CrLf)
strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
tmpFilename = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
GetFileName = Replace(tmpFilename,vbNullChar,"")
End Function
Posted
Good catch, thanks for the update HuwR<
Posted
For Mike's File Attachment Mod find the following on line 20 of outputFile.asp:And replace it with the following:<
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”
Code:
filepathname = UploadRequest.Item("blob").Item("FileName")Code:
filepathname = replace(UploadRequest.Item("blob").Item("FileName"),vbNullChar,"")fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”
Posted
Thanks for that one Shaggy.
as a side note to this problem, directories where files are uploaded to on your server should NOT have permissions to execute scripts, that way the problem would not exist in the first place, so it is really a server security issue as well as a code security issue.<
as a side note to this problem, directories where files are uploaded to on your server should NOT have permissions to execute scripts, that way the problem would not exist in the first place, so it is really a server security issue as well as a code security issue.<
Posted
please try not to clutter up the thread with messages of thanks, otherwise the solutions to other upload problems will get lost in the thread<
Posted
For those keeping an eye on this topic, the same issue has been discovered in Zuel's Avatar Add-on available here.
To fix it, find the following beginning on line 60 of clsAvatar.asp add the new line highlighted in green:<
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”
To fix it, find the following beginning on line 60 of clsAvatar.asp add the new line highlighted in green:
Code:
Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
Dim CrLf : CrLf = Chr(13) & Chr(10)
sPos = InStr(infoStr, "filename=")
EndPos = InStr(infoStr, Chr(34) & CrLf)
strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
GetFileName = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
GetFileName = Replace(GetFileName,vbNullChar,"")
End Functionfact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”