Server side injection on ASP.NET backend (IIS) by arbitrary file upload - javascript

I'm not an expert in cyber security and exploits. I need help figuring out if my app is vulnerable and in what way.
Let's assume I'm an idiot (and I'm not to this extent), and I leave the possibility for client users to upload (exploiting my front end) any file they want on my server in a subfolder (let's call it 'danger') of my ASP.NET application, hosted on IIS.
Being that way, anybody can upload a generic example.hml file and access it back at the url mydomain.com/danger/example.html. They can also upload JS files and whatever they want.
Let's forget for a moment the fact they can fill my disk.
Given I prevented ASP execution from files in that folder, what kind of damage can I be subjected to?
Thanks in advance.

Just off the top of my head:
An attacker could upload a corrupted file which would trigger a remote-code execution vulnerability in your antivirus, potentially executing code under the local system account. (I've seen this happen with Windows Defender, and I've seen reports of similar vulnerabilities in other AV products.)
They could upload a file with a mangled name which exploited a bug in IIS to bypass your file-type checks and the "no execute" flag on the folder. (I've seen this reported, albeit in a very old version of IIS.)
If the files can be accessed publicly, they could host their own content on your site, potentially including illegal or malicious content. This could damage your site's reputation, and potentially leave you liable to prosecution.

Well, yes, you do have to be carefull IF YOU allow any kind of preview, or say allow the person to download the file, but when you download, you also attempt some kind of preview on the server.
In fact, this is not a lot different then dropping a simple text box into a form, and then letting the user type in information into that text box, you then say hit submit button, and now re-display the page with what they just typed in.
What happens if they start typing in javascript text into that text box?
Say a multi-line text box in which you can type in a paragrath of comments or text.
So, you type in this:
Hellow how are you
<script>
JavaScript code here
</script>
Now, when you go to re-plot the page - not only are you re-display of what was typed in, but those script code typed in ALSO will run!
In fact, if you drop a text box on a web page, and do this:
Hello, how <script> are you
You notice you get a page exectution error. (becuase asp.net has built in protection to NOT allow this). However, if you adopt some html editor text box (ckEdit, or ajaxtoolkit editior), such controls will have additional security code to prevent end users from typing in script code.
So, a few things you have to be concered about:
If you allow up-loading of files, then ensure that you don't have code that attempts to load/execute that file. So, you might allow users to up-load pdf files, and then maybe a routine that attempt to "open" or use that file. But what happens if they in place of a pdf file up-load a MyTest.exe. In other words, they up-load a exectuable program in place of a pdf? Well, then you mostly ok, but you BETTER NOT have code that attempts to load such files - especially code behind that may use some library or code that in effect launches that pdf or word or exec file. Since that code then might try to load or run what is now a .exe program.
So, this means a few things:
You want to limit the file extensions allowed
You need to ensure that your code does not "execute" that up-load file
If you allow download of that file, then careful how you do this
(again, ensure that you don't open up possibiity to execute that file).
So, for the most part you should be ok, but if up-loaded files are further processed by your server side code, then just be aware of HOW you open or process such up-loaded files.
As noted, say users up-load a simple text file, and after up-loading you take the text from that file, and then display it in some kind of memo or text box in a web page. But, again, you sure it is just text in that file? And if you pull the content from that file and THEN have it render in your browser (because you assumed text), but it now might have browser code injected into that text file.
So, any point in your server side code that opens up-loaded files, pulls the content and THEN say spits out that content for display of data is a caution area.
So, the first simple line of defense?
Limit the types of files. If users are expected to upload only PDF files then ONLY allow say PDF and maybe .zip file extensions - reject anything else.
And as noted, just keep in mind any kind of post-processing code you have that runs AFTER up-loading that file. If your site is taking such up-loaded files, and is to open up the file(s), AND THEN DISPLAY that content back to the end user, then again caution is required, since when you display such content in a browser, that content in theory can have script code - and like anything else your code spits out to the browser (like a web page with HTML etc.) also means that the browser will run that script code.
I mean, a browser simple takes whatever the server sends to that browser, and renders the HTML. However, these days, browsers have MUCH more ability to also run code in that browser. So, that's why now you can say run cool games 100% in a browser, since browsers have become VERY powerful systems, and almost their own computer system in their own right. So, the ability of browsers to run code and give an experience that rivals the desktop in terms of speed and response (and even interactive games) is the result of browsers now being able to run code and do much MORE then just display some simple HTML.
So, under no case should you allow up-loading of files, and then have some software that can "run" or even pull contents of that file and spit it out back to the user in the form of browser display. And the reason is that file content may well have executable code in that file contents.

Related

Getting Input From HTML And Storing It In A File (Static Website)

I am trying to make a simple form submission in a GitHub Repository.
Basically what I want to do is take the input of an HTML Tag and then store it in another local file such as another HTML file or a text file without a back-end.
I understand that there was a saveAs function within JavaScript (however I read that it had been discontinued due to security reasons). Once I get the data stored in a file I would call it in the HTML page with the < embed > tag to show it on the page. So basically I want the Input on the page, and then when it is appended to the file, to show up on the same page again when the page is refreshed. My reason for doing this is to make a make-shift Google WorkSpace-like page for my production studio.
Here's a visual of what I want to do:
HTML PAGE:
Embedded File Contents (externalfile.html) Go Here.
Input: Input Goes Here
Submit
When Submit is pressed, it takes the contents within the "Input Goes here" box and appends it to "externalfile.html", then when the page is refreshed, it shows the updated content above the form.
I am not well-versed in JavaScript but I know JQuery a Good bit from making a few websites with Wix, but I do not know much native JavaScript nor it's functions. Any advice would be helpful. :) Thank you. I would be adding multiple input boxes and such on the page.
Hello and welcome to StackOverflow!
Now, if I got your question right, you want to append something to a file and read this file without using any backend? Then I must disappoint you, because there is no way JavaScript allows this, since it would be a tremendous security risk. The reason is, because any malicious JavaScript code on any webpage then could not only create malware files on your PC and dragging it to some start up folder, but also they would be able to read all the files and documents on your machine (without your knowledge!). So I think you see where the problem is.
For your task I recommend you using some kind of backend (i.e. NodeJS, PHP) and make things work with API requests and asynchronous JavaScript. Or you could serve your site with an ExpressJS backend and statically fetch the request and append its contents to a file. Then of course send an HTML file back with all the inputs the user made. The choice is yours.
Cheers

linking html web page to text editor to practice

I'm trying to link this page http://www.bauer.uh.edu/parks/f1471m.htm to my text editor ( text mate) with a mac.
I even copied the code and pasted it into an HTML file, and made a .js file (the one I'm trying to use to practice with) in the same folder and to use the local tag with no success.
I tried using src="http://www.bauer.uh.edu/parks/f1471m.htm" with no luck.
am I doing something wrong?
I'm making a few assumptions here...
From what you're describing, I think you're trying to directly edit the file. Unless you have write access on that server, what you're doing isn't going to work. Some web development software will allow you to do this, but most text editors don't.
Can you work on the file locally (on your computer's file system) and upload it to the server through FTP?
Many browsers give you the ability to save a page locally these days. That would set up the proper structure for you on your own machine. (FireFox can do this using Save Page)

Client-side CGI, JavaScript / Python

Is it possible to pass information from the client-side browser using JavaScript to a client-side Python script using Python CGI? I have done some light googling and everything points to server-side Python scripts receiving information from client-side browsers. I have a somewhat unique'ish project that would require the ability to pass this information locally from browser to a local script.
For example I would have a webpage with a table. In each cell in the table would be an image with a checkbox next to it. When I hit submit, the checked unique values from each checkbox that was checked would be pass to a local python script, from which further processing would occur.
Any thoughts on this? Thank you!
Edit - There is likely some confusion to as my oddball question, so a tad bit more clarification. My python script starts out by mounting and walking an NTFS volume, making a list of the path of every graphic file found. It then mounts a RAM disk. The python script then generates thumbnails of each image found. The python script then generates a "master" html page, and then dynamic ammounts of html pages to be used in an iframe. The HTML files and thumbnail files are stored in the RAM disk. The iframe pages contain the thumbnails in tables of all images found on the computer with check boxes next to each thumbnail. After all this information is generated the Python script then opens a browser calling that page in the RAM disk. The user is then supposed to check images of interest, the checked checkbox values are stored in an array. When the user has finished selecting all of their items, the user would submit. What I would like to then happen would be for the array values to be passed to the python script, then the python script would take each item referenced from the values in the array and hash them, then stick the thumbnails onto a PDF, 8 per page, each thumbnail with hash values of the original file, path and modified/accessed/created times from the OS. To generate the hash values of the local image files and get the MAC times I need to access the local machine with Python, as JS lives in it's little sandbox. Hope this makes sense!
You can setup your own local server and connect browser to it. Something has to open connection and something has to listen for connections. So automatically your python client turns into server however it sounds.
Anyway, why you are not using just javascript? Most things can be done with lone js.
UPDATE:
You can also just forget about html and javascript and make everything in python. Check PyQt4, you can make pretty easly your own gui to check images with it.

Loading Text file to HTML textarea from mobile phone storage

I am writing an app for mobile phones using HTML5, Javascript and CSS. One part of the app should allow the user to load a text file present the phone's local storage on to a text area provided on that page. My questions are:
How do I create a file dialog box to ask user to select the txt file. (Is it possible?)
I read something about PHP etc to load files but I have no experience in it. Is there like a code snippet that I could use to load text file? Can Javascript, jquery mobile has something to do this?
Once I load it into the textarea, I want to edit it and save it again.
It would be helpful if someone can throw some light on this or direct me towards some resource where I can learn about it.
Local I/O is never allowed directly, for what should be fairly obvious security reasons. You need to set up an <input type="file"> form to do this, but I'm not sure how those behave on a mobile platform. I'm sure that that would very between platforms. Assuming a successful file upload and transmission to your editing area, saving back to storage would require a file download you would have to initiate, and which the user could choose to accept or ignore.
You use the words "local storage" and your tags include HTML 5, so there are additional options. You can look in to the LocalStorage API, which allows you to store larger amounts of data which you can then retrieve, allow editing on, and save. This is controlled by the browser to eliminate security issues. There is also the File API, which allows reading files. I believe this is read-only, however, (again for security) and may not be what you are looking for.

Looking for doc on why IE "yellow bar" shows when opening a HTML file that contains JavaScript

I have a site, from which you can download an HTML file. This HTML file contains a form with hidden fields, which is right away posted back to the site using JavaScript. This is a way of allowing users to download to their own machine data that they edit on the site.
On some machines, you get an IE "yellow bar" when trying to open the file you saved. The "yellow bar" in IE is warning that the HTML is trying to run an Active X (which it is not, there is only JavaScript doing a submit() on a form). However if you receive the exact same HTML file by email, save it, and open it, you don't have this problem. (It looks like IE is putting some more constraint on what can be done in a HTML file you saved from web site.)
My question is: where can I find documentation on this IE security mechanism, and possibly how can I get around it?
Alex
The yellow bar is because your page is executing in the Local Machine security zone in IE. On different machines, the Local Machine security zone might be configured in different ways, so you can see the yellow bar on some machines and not see it on other machines.
To learn more about the IE's URL Security Zones, you can start reading here: http://msdn.microsoft.com/en-us/library/ms537183.aspx
Look here for details on the MOTW - Mark Of The Web
If you add this to your locally served pages, IE will not show the yellow bar.
http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx
I am not usre about any specific documnet, but if you open the properties for the file in windows explorer on the general tab is the file blocked? if so click unblock and try again and see if you gte the same issue. This is typical security for files downloaded fom the internet.
Other than that i am afraid i dont know what else to suggest.
I don't 100% follow what your JavaScript is submitting to, but if you're submitting back to the original site from the downloaded copy you'll have a problem using JavaScript as all browsers treat cross-domain JavaScript as a security violation.
JavaScript isn't allowed to read or write to any site not on the current domain
As Franci had said it is becaue you are in the local machine security context and this allows scripts to create objects and execute code that could do harm to your PC. For example you can create a File System Object and perform tasks that an untrusted page shouldn't perform generally because it could be malicious in nature.
Have you tried changing the file name from yourname.html to yourname.hta to see if the security problem goes away?
More on HTML Applications (.HTA files): http://msdn.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx

Categories