From: lists2 at onryou.com (Cael Abal)
Subject: ASP script using OpenTextFile

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Tinsley wrote:
> Need some help from those out there versed in windows.  I am auditing
> an ASP based (VBScript) application which uses OpenTextFile as
> follows:
>
> Set f = fso.OpenTextFile(sLeadingPath + paramPageToRender + ".xsl",
> ForReading)
>
> I have been able to ../../../../ all over the place, but it only
> allows me to pick up files ending with .xsl.  I would like to print
> the contents of a non .xsl file to prove that not checking paths
> properly is a large issue.  But I have had no luck making it ignore
> the .xsl I have tried ../../foo.txt%00 ../../foo.txt%0a
> ../../foo.txt%0d.  But none of these seem to be working for me, does
> anyone know of a good way to end the file where I want and have it
> ignore the .xsl tacked on the end of the filename to be opened?  Any
> help is greatly appreciated.

Hi Paul,

You're right to raise concerns about this sort of code.  Consider this
example:

- ---snip---

sLeadingPath = "C:\"
paramPageToRender = "passwords.txt" + Chr(0)

set fso = CreateObject("Scripting.FileSystemObject")
set f = fso.OpenTextFile (sLeadingPath + paramPageToRender + ".xsl", 1)

WScript.echo (f.ReadAll)

- ---snip---

You had the right idea, you only needed to figure out how VBS represents
\0.  As you know, because strings are terminated with the null
character, the final string concatenation performed within
OpenTextFile() is disregarded.

Cheers,

Cael

(Heh, fear my leet VBS skills.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFATTLwR2vQ2HfQHfsRAvt1AKC2yNAhgIv/LS3EI9WOlS5PG2HzjQCg5hWV
QzwMDxw5ZomAit0gkj7Qga8=
=qiN/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists