After the administrator logged in and added a new permitted extension of file such as "aassp".
The administrator can upload a malicious file which extension is "aassp".
After the file was filtered by the rule, the file extension will be changed to "*.asp". Then the file will run as a webshell.
After the administrator logged in and added a new permitted extension of file such as "aassp".
The administrator can upload a malicious file which extension is "aassp".
After the file was filtered by the rule, the file extension will be changed to "*.asp". Then the file will run as a webshell.
https://github.com/siteserver/cms/blob/dev/net452/SiteServer.CMS/Core/PathUtility.cs
The filtering rule:
retVal = StringUtils.ReplaceIgnoreCase(retVal, "as", string.Empty);The rule is so simple that replaces "as" .
And the suggestion is:
After replacied, add a judgement to enhance the filter that
if "as" in extension of file then reject uploading.
POC:
A part of the response :
The text was updated successfully, but these errors were encountered: