Closed diy0829 closed 5 years ago
The details of the bug are very clear. We will fix it in the next version. Thanks for your help
@starlying was this issue ever addressed? and if so could you point me to the fix ? Thanks !
this issue is addressed, update to latest version will fix it
@starlying in which commit was the issue fixed?
Thanks in advance :)
After the administrator logged in and added a new permitted extension of file such as "aassp".
The administrator can upload a malicious file which extension is "aassp". After the file was filtered by the rule, the file extension will be changed to "*.asp". Then the file will run as a webshell.
https://github.com/siteserver/cms/blob/dev/net452/SiteServer.CMS/Core/PathUtility.cs
The filtering rule:
retVal = StringUtils.ReplaceIgnoreCase(retVal, "as", string.Empty);
The rule is so simple that replaces "as" .
And the suggestion is:
After replacied, add a judgement to enhance the filter that if "as" in extension of file then reject uploading.
POC:
A part of the response :