Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: ASP script using OpenTextFile
From: Cael Abal <lists2 () onryou com>
Date: Mon, 08 Mar 2004 21:58:57 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Tinsley wrote:
Need some help from those out there versed in windows.  I am auditing
an ASP based (VBScript) application which uses OpenTextFile as
follows:

Set f = fso.OpenTextFile(sLeadingPath + paramPageToRender + ".xsl",
ForReading)

I have been able to ../../../../ all over the place, but it only
allows me to pick up files ending with .xsl.  I would like to print
the contents of a non .xsl file to prove that not checking paths
properly is a large issue.  But I have had no luck making it ignore
the .xsl I have tried ../../foo.txt%00 ../../foo.txt%0a
../../foo.txt%0d.  But none of these seem to be working for me, does
anyone know of a good way to end the file where I want and have it
ignore the .xsl tacked on the end of the filename to be opened?  Any
help is greatly appreciated.

Hi Paul,

You're right to raise concerns about this sort of code.  Consider this
example:

- ---snip---

sLeadingPath = "C:\"
paramPageToRender = "passwords.txt" + Chr(0)

set fso = CreateObject("Scripting.FileSystemObject")
set f = fso.OpenTextFile (sLeadingPath + paramPageToRender + ".xsl", 1)

WScript.echo (f.ReadAll)

- ---snip---

You had the right idea, you only needed to figure out how VBS represents
\0.  As you know, because strings are terminated with the null
character, the final string concatenation performed within
OpenTextFile() is disregarded.

Cheers,

Cael

(Heh, fear my leet VBS skills.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFATTLwR2vQ2HfQHfsRAvt1AKC2yNAhgIv/LS3EI9WOlS5PG2HzjQCg5hWV
QzwMDxw5ZomAit0gkj7Qga8=
=qiN/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]