Fix the Oblog 2.52 help. asp vulnerability

Source: Internet
Author: User
Fix the Oblog 2.52 help. asp vulnerability
This is a very interesting thing.
OBlog is an asp-based Blog system. The current version is 2.52.
A help. asp file vulnerability occurred some days ago,
You can view the source files of any file, including asp files. The consequence is naturally serious.
Now, this problem has been officially fixed. The modified key code is as follows:
<%
Fname = trim (request ("file "))
Fname = lcase (fname)
Fname = replace (fname, "asp ","")
If fname = "" then
Fname = "help/h_sysmain.htm"
End if
If right (fname, 4) = ". htm" then
Show_help = "Current location: <a href = 'index. asp '> homepage </a> → blog help Show_help = show_help & adodb_loadfile (fname)
Show = replace (show, "$ show_list $", show_help)
Response. Write show
Call bottom ()
Else
Response. Write ("incorrect input file ")
End if
%>
Yesterday, in a QQ group, a user suddenly experienced a whim, saying that the above code after the fix still had a problem.
Let's take a look at his analysis ideas:
The patched code is mainly used in two aspects. One is to replace all asp strings to prevent viewing asp files, and the other is to use only files with a suffix of htm.
First, let's look at the code for replacing asp:
Fname = replace (fname, "asp ","")
So if you access help. asp? When file = conn. asp, it becomes help. asp? File = conn.
So if we access help. asp? File = conn. aaspsp. After replacement, it becomes help. asp? File = conn. asp.
Therefore, the protection measures to replace asp are not very reliable and can be bypassed.
Then, let's look at the second point. The suffix is the. Htm check.
His idea is as follows:
Isn't there an upload vulnerability some time ago? We usually capture packets first and then modify the data,
Structure file name, such as a.asp000000.gif,
In this way, the upload program will assume that this is a gif file, but it will only be saved as a. asp.
So here, is it OK?
Construct a conn.asp000000.htm file name, so that the fname detection can be spoofed,
Then, in the adodb_loadfile (fname) function, the conn. asp file is actually opened,
This achieves the goal.

From his perspective, it is still logical,
In addition, the first step of his analysis is to bypass the asp check.
In the second step, his understanding is still incorrect.
Many people know the upload vulnerability, but what is the upload vulnerability,
It is unclear to many people.
In addition, asp is somewhat different from php and perl.
For details, refer to this document,
Http://security-assessment.com/Papers/0x00_vs_ASP_File_Uploads.pdf
I believe it is helpful for you to understand the upload vulnerability.


Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.