Microsoft.AspNetCore.Mvc.Localization.LocalizedHtmlStringSecurity Issue: Uploading files (inc Avatars)

Security Issue: Uploading files (inc Avatars)

Printed from: Snitz™ Forums 2000
URL: https://forum.snitz.com/forumTopic/Posts/61919?pagenum=1
Printed on: 04 November 2025, 21:40

Topic

Author : HuwR
Subject : Security Issue: Uploading files (inc Avatars)
Posted : 19 May 2006, 06:59
Message :

The following security issue has been discovered.
http://secunia.com/advisories/20148/
more : http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046115.html

This advisory relates to the Avatar upload mod, for which there is a fix below, however this problem is likely to affect any mods that allow file uploads using asp script, so they will also need to be checked and fixed.
To fix the issue and prevent any security problems you basically need to remove the null bytes from the filename, this can be done by simply replaceing the null bytes using the replace function as follows newfilename = Replace(FileName,vbNullChar,"") as an example I have included the fix required for the avatar mod below.

Avatar Mod nullbyte Fix
in the avatar_upload.asp file, replace the GetFileName function with the one below

Code:


	Private Function GetFileName(infoStr)
		Dim sPos
		Dim EndPos
		Dim strTmp
		DIm tmpFilename
		Dim CrLf : CrLf = Chr(13) & Chr(10)
		
		sPos = InStr(infoStr, "filename=")
		EndPos = InStr(infoStr, Chr(34) & CrLf)
		strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
		tmpFilename = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
		GetFileName = Replace(tmpFilename,vbNullChar,"")
	End Function

Replies ...

Reply Author: Bassman
Replied on: 19 May 2006, 07:14
Message:

Good catch, thanks for the update HuwR<

Reply Author: Shaggy
Replied on: 19 May 2006, 08:11
Message:

For Mike's File Attachment Mod find the following on line 20 of outputFile.asp:

Code:

filepathname = UploadRequest.Item("blob").Item("FileName")

And replace it with the following:

Code:

filepathname = replace(UploadRequest.Item("blob").Item("FileName"),vbNullChar,"")

Reply Author: HuwR
Replied on: 19 May 2006, 08:23
Message:

Thanks for that one Shaggy.

as a side note to this problem, directories where files are uploaded to on your server should NOT have permissions to execute scripts, that way the problem would not exist in the first place, so it is really a server security issue as well as a code security issue.<

Reply Author: HuwR
Replied on: 19 May 2006, 08:25
Message:

please try not to clutter up the thread with messages of thanks, otherwise the solutions to other upload problems will get lost in the thread<

Reply Author: Shaggy
Replied on: 30 January 2009, 09:23
Message:

For those keeping an eye on this topic, the same issue has been discovered in Zuel's Avatar Add-on available here.
To fix it, find the following beginning on line 60 of clsAvatar.asp add the new line highlighted in green:

Code:

Private Function GetFileName(infoStr)
Dim sPos
Dim EndPos
Dim strTmp
Dim CrLf : CrLf = Chr(13) & Chr(10)
	sPos = InStr(infoStr, "filename=")
	EndPos = InStr(infoStr, Chr(34) & CrLf)
	strTmp = Mid(infoStr, sPos + 10, EndPos - (sPos + 10))
	GetFileName = Mid(strTmp,InstrRev(strTmp,"\",-1,1) + 1)
	GetFileName = Replace(GetFileName,vbNullChar,"")
End Function