lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: pdt at jackhammer.org (Paul Tinsley)
Subject: ASP script using OpenTextFile

Need some help from those out there versed in windows.  I am auditing an 
ASP based (VBScript) application which uses OpenTextFile as follows:

Set f = fso.OpenTextFile(sLeadingPath + paramPageToRender + ".xsl", 
ForReading)

I have been able to ../../../../ all over the place, but it only allows 
me to pick up files ending with .xsl.  I would like to print the 
contents of a non .xsl file to prove that not checking paths properly is 
a large issue.  But I have had no luck making it ignore the .xsl I have 
tried ../../foo.txt%00 ../../foo.txt%0a ../../foo.txt%0d.  But none of 
these seem to be working for me, does anyone know of a good way to end 
the file where I want and have it ignore the .xsl tacked on the end of 
the filename to be opened?  Any help is greatly appreciated.

Thanks,
   Paul Tinsley

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ