eWebEditor v3. 8 column directory vulnerability the [asp version]-a vulnerability warning-the black bar safety net

2013-05-28T00:00:00
ID MYHACK58:62201338999
Type myhack58
Reporter 鬼哥
Modified 2013-05-28T00:00:00

Description

Title: asp eWebEditor v3. 8 column directory vulnerabilities(other versions to test)

Vulnerability file: asp/browse. asp Vulnerability generated:

| 1 | Sub InitParam() ---|---

2 | sType = the UCase(Trim(Request. QueryString("type"))) ---|---

3 | sStyleName = Trim(Request. QueryString("style")) ---|---

4 | sCusDir = Trim(Request. QueryString("cusdir")) ---|---

5 | Dim i, aStyleConfig, bValidStyle ---|---

6 | bValidStyle = False ---|---

7 | For i = 1 To Ubound(aStyle) ---|---

8 | aStyleConfig = Split(aStyle(i), "|||") ---|---

9 | If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then ---|---

1 0 | bValidStyle = True ---|---

1 1 | Exit For ---|---

1 2 | End If ---|---

1 of 3 | Next ---|---

1 4 | If bValidStyle = False Then ---|---

1 5 | OutScript("alert('Invalid Style.')") ---|---

1 6 | End If ---|---

1 7 | sBaseUrl = aStyleConfig(1 9) ---|---

1 8 | nAllowBrowse = CLng(aStyleConfig(4 3)) ---|---

1 9 | nCusDirFlag = Clng(aStyleConfig(6 1)) ---|---

2 0 | If nAllowBrowse <> 1 Then ---|---

2 1 | OutScript("alert('Do not allow browse!')") ---|---

2 2 | End If ---|---

2 3 | If nCusDirFlag <> 1 Then ---|---

2 4 | sCusDir = "" ---|---

2 5 | Else ---|---

2 6 | sCusDir = Replace(sCusDir, "\", "/") ---|---

2 7 | If Left(sCusDir, 1) = "/" Or Left(sCusDir, 1) = "." Or Right(sCusDir, 1) = "." Or InStr(sCusDir, "./") > 0 Or InStr(sCusDir, "/.") > 0 Or InStr(sCusDir, "//") > 0 Then ---|---

2 8 | sCusDir = "" ---|---

2 9 | Else ---|---

3 0 | If Right(sCusDir, 1) <> "/" Then ---|---

3 1 | sCusDir = sCusDir & "/" ---|---

3 2 | End If ---|---

3 3 | End If ---|---

3 4 | End If ---|---

3 5 | sUploadDir = aStyleConfig(3) ---|---

3 6 | If Left(sUploadDir, 1) <> "/" Then ---|---

3 7 | sUploadDir = "../" &sUploadDir ---|---

3 8 | End If ---|---

3 9 | Select Case sBaseUrl ---|---

4 0 | Case "0" ---|---

4 1 | sContentPath = aStyleConfig(2 of 3) ---|---

4 2 | Case "1" ---|---

4 3 | sContentPath = RelativePath2RootPath(sUploadDir) ---|---

4 4 | Case "2" ---|---

4 5 | sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir)) ---|---

4 6 | End Select ---|---

4 7 | sUploadDir = sUploadDir & sCusDir ---|---

4 8 | sContentPath = sContentPath & sCusDir ---|---

4 9 | Select Case sType ---|---

5 0 | Case "FILE" ---|---

5 1 | sAllowExt = "" ---|---

5 2 | Case "MEDIA" ---|---

5 3 | sAllowExt ="rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov" ---|---

5 4 | Case "FLASH" ---|---

5 5 | sAllowExt = "swf" ---|---

5 6 | Case Else ---|---

5 7 | sAllowExt = "bmp|jpg|jpeg|png|gif" ---|---

5 8 | End Select ---|---

5 9 | sCurrDir = sUploadDir ---|---

6 0 | sDir = Trim(Request("dir")) ---|---

6 1 | '1. Assuming dir= ../ ---|---

6 2 | '2. Assuming the dir=...// ---|---

6 3 | '3. Assuming dir=...../// ---|---

6 4 | sDir = Replace(sDir, "\", "/") 'filter 1 ---|---

6 5 | sDir = Replace(sDir, "../", "") 'filter 2 ---|---

6 6 | '1. Here it is filtered. ---|---

6 7 | sDir = Replace(sDir, "./", "") 'Filter 3 ---|---

6 8 | '2 Here is also power. ---|---

6 9 | '3 here's to../. Interesting bypass it! Seems a lot of cms so the filter too. [/color] ---|---

7 0 | If sDir <> "" Then ---|---

7 1 | If CheckValidDir(Server. Mappath(sUploadDir &sDir)) = True Then ---|---

7 2 | sCurrDir = sUploadDir &sDir & "/" ---|---

7 3 | Else ---|---

7 4 | sDir = "" ---|---

7 5 | End If ---|---

7 6 | End If ---|---

7 7 | End Sub ---|---