| Author |
 Topic Search  Topic Options
|
WebWiz-Bruce 
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
 Posted: 10 May 2011 at 9:02am |
Web Wiz Rich text Editor version 4.07 which fixes this vulnerability has been released and is available from the download page:- Web Wiz RTE DownloadThis new version better detects the extension to prevent files named in this way from being uploaded. If you use versions of IIS prior to version 7 you should upgrade to this new version. Thanks RipSurge for bringing this problem to our attention.
|
|
|
 |
RipSurge
Newbie
Joined: 08 May 2011
Status: Offline
Points: 9
|
Posted: 15 May 2011 at 10:14am |
|
Thank you! :) So sad that we have to waste our time on things like this because of the immature "hobbies" of certain others...
|
|
RipSurge
Newbie
Joined: 08 May 2011
Status: Offline
Points: 9
|
Posted: 16 May 2011 at 11:11am |
|
Unfortunately, after upgrading, they still managed to upload a file "F2Z_bursalii.php;me.gif" and hack in again :(
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Posted: 16 May 2011 at 11:28am |
|
Will look in to this as it looks like there is a real issue with IIS 5 and 6 if it runs files named like this as PHP, ASP, etc. pages.
Hopefully you have done as I suggested and locked down your websites so only the upload folders have write permissions as such hacks would then be servilely limited.
Hopefully Microsoft will also patch this vulnerability in IIS 5 and 6 in it's next round of patches, rather than having to keep writing work arounds.
IIS 7 and above sees the files as in this example a GIF image and would refuse to run it. The OS itself also sees the file as a GIF, only IIS 5 and 6 process the file as a PHP file.
|
|
|
|
RipSurge
Newbie
Joined: 08 May 2011
Status: Offline
Points: 9
|
Posted: 16 May 2011 at 11:39am |
|
Thanx. Yes, though I found my VBScript (I usually use JScript) wasn't up to scratch and they got past my login check, but I have fixed that now. At least I found that there is still a vulerability in the process, so hopefully this will help protect others in the long run. Thanx for all your help :)
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Posted: 16 May 2011 at 11:57am |
|
I have been doing some digging and found that there is a vulnerability in IIS 6 and below with semicolons in file names.
The 'Microsoft IIS Semi-Colon Vulnerability' was found back in 2008 and only affects IIS 6 and below, so IIS 7 and above users are safe from it.
There are fixes you can make on the IIS server to help mitigate the issue, but as of this time Microsoft have not fixed it yet and as this has been around for some time I doubt they will as their newer IIS 7 and 7.5 are not vulnerable.
The work around to avoid this vulnerability will be to strip semicolons from uploaded files in the RTE.
Will have a fix out for this shortly.
|
|
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Posted: 16 May 2011 at 12:20pm |
Web Wiz Rich text Editor version 4.08 which fixes this vulnerability has been released and is available from the download page:- Web Wiz RTE DownloadThis new version strips semicolons from uploaded file names to prevent hackers from exploiting this vulnerability in IIS 6 and below.
|
|
|
|
RipSurge
Newbie
Joined: 08 May 2011
Status: Offline
Points: 9
|
Posted: 16 May 2011 at 12:39pm |
|
YAY! Thank you, and thanx for being so quick :)
|
|
Hackers Exploit in RTE v4.05