Power articles system arbitrary file delete vulnerability-exposure-vulnerability warning-the black bar safety net

Because their website is continuously being maliciously hacked into twice, from the IIS log seen are“script injection”to blame, this only started to pay attention to script security. A few days ago a friend let me test his website’s security situation, so they try their hand, the results actually found on the power post system of security vulnerabilities.

Discover vulnerabilities

Friends use power articles system 3. 5 1 version, find to to find to also did not find where there is the“injection point”, previously found in the printed page of injection vulnerabilities are also up, because playing with the latest security patches, there is no upload with the extension CER the class of the ASP Trojan of May. Honestly, I admire Webboy level, the same teachers, I can’t write such a excellent site management system, huh.

Can’t find the injection point, only to find there is no logic error. Unable to upload file, try to download the file, you can not get the management right, just try to delete the file. I’m on this machine install the same version of power post system, The idea changed several directions, okay, found the vulnerability. The presence of the file in question is User_ArticleSave. asp.

1． Analysis: the power of the article system has a nice feature online editing an article you can upload files, images, inserting file images, to save the article, the system will detect those that have already uploaded the file whether to use, if you find a file name and does not appear in the content of the article, has not been set as home page picture, it automatically deletes the file. This ensures that the site brought you the directory does not exist junk files. The file name is stored in a brought you to this hidden object.

2． Question: if we hand in brought you in to fill the site within a important file name, such as: a home file,“/Index. asp”is used relative to the site’s root directory absolute path, submit the form, the system detects“/Index. asp” and does not appear in the content of the article, has not been set as home page picture, wouldn’t it be also automatically delete the Index. asp file?

Vulnerability test

Immediately on this machine to test, and success! Next to download 3. 6 version of the power system, latest version, same success! Can say that this vulnerability exists currently power all of the system! Because the easy system when using the mounting Assembly of the way, felt a little tired, did not continue to test, in theory, certainly is also successful, interested friends can try.

The exploit procedure:

（1）The Add article page are saved in the local;

（2）modify the page in the form submission address, as will“document. myform. action=‘User_ArticleSave. asp’”in the“User_ArticleSave. asp”to“http://127.0.0.1/User_ArticleSave.asp the“127.0.0.1”to test the website’s real URL“and put“”in the“hidden”to“text”.

（3）just fill in some necessary text, in the event the brought you object fill in your you want to delete the file with absolute path such as“/index. asp” is.

（4）to submit the form.

Here are some points to note: you must have a published articles of accounts, the General use of the power post system of the website are open to user registration; and not only this file exists in vulnerability, other such as uploading resources like the page also has the same vulnerability.

Precautions

Protective measures are the following, and everyone can choose their own way:

1． Turn off“delete useless Upload file”function, the User_ArticleSave. asp file in the corresponding statement delete, or use the“’”comment, so a little negative.

2． Some people first thought the solution might be“prohibited outside the station to submit to.“ System administrator Management page is there such a function, you can put such a function added in the User Management page, the relevant analysis of the hack line of Defense for the previous periods have been speaking very clearly, and will not be repeated. On the surface this way you can prevent the vulnerability, in fact, this solution is not very thorough, I have at least two approaches to re-using this vulnerability, such as capture, modify and resend the data packet.

3． Wait Webboy patch, I’m here to write a piece of code so you first make do with:

'Delete useless Upload File

if ObjInstalled=True and brought you<>“” then

dim fso,strRubbishFile

Set fso = Server. CreateObject(“Scripting. FileSystemObject”)

if instr(brought you,“|”)>1 then

dim arrUploadfiles,intTemp

arrUploadfiles=split(brought you,“|”)

Brought you=“”

for intTemp=0 to ubound(arrUploadfiles)

if instr(Content,arrUploadfiles(intTemp))<=0 and arrUploadfiles(intTemp)<>DefaultPicUrl then

if the ucase(left(arrUploadfiles(intTemp),len(SaveUpFilesPath)))<>the ucase(SaveUpFilesPath) or instr(arrUploadfiles(intTemp),“…/”)>0 then

response. write"

• the " & arrUploadfiles(intTemp) & “contains illegal characters, has been cleared!”

Brought you=“”

else

strRubbishFile=server. MapPath(arrUploadfiles(intTemp))

if fso. FileExists(strRubbishFile) then

fso. DeleteFile(strRubbishFile)

response. write"

• the " & arrUploadfiles(intTemp) & “in the article is not used, it is not set as home page picture, so has been removed!”

end if

end if

else

if intTemp=0 then

Brought you=arrUploadfiles(intTemp)

else

Brought you=brought you & “|” & amp; arrUploadfiles(intTemp)

end if

end if

next

else

if instr(Content,brought you)<=0 and brought you<>DefaultPicUrl then

if the ucase(left(brought you,len(SaveUpFilesPath)))<>the ucase(SaveUpFilesPath) or instr(brought you,“…/”)>0 then

response. write"

• the " & brought you & “contains illegal characters, has been cleared!”

Brought you=“”

else

strRubbishFile=server. MapPath(Brought You)

if fso. FileExists(strRubbishFile) then

fso. DeleteFile(strRubbishFile)

response. write"

• the " & brought you & amp; “in the article is not used, it is not set as home page picture, so has been removed!”

end if

Brought you=“”

end if

end if

set fso=nothing

end If

'The end of the

4． In fact, the above methods do not fundamentally address this vulnerability, the best way is to change a way of programming to achieve the“Delete unused files”function, such as the use of the Session to record the uploaded file name, etc.

The current power article system is the most widely used free code, and have a much better system to mimic the system that a function such as I, Oh Airport. Using the vulnerability is very vicious real dog in the manger, as is so deleted files not in recycle bin in back! Disclosed this vulnerability only hope that every programmer writing scripts to be able to think more about security, do not appear similar problems.