1

Someone is trying to access our server page with invalid query string which throws exception.

query string =./../../../../../../../../../windows/system32md.exe

Exception:

Could not find file 'C:\windows\system32md.ex'. How to prevent these types of attack.

Jeevan Bhatt
  • 5,881
  • 18
  • 54
  • 82
  • 1
    How do you use the query string parameter coming in? Executing it as a system command is definitely not recommended. – nunespascal Apr 09 '13 at 05:41
  • there is a link passing a guid in query string. so user is changing query string in broqser, he is replacing guid with ./../../../../../../../../../windows/system32md.exe. guid is the name of a file in the server and we are creating a path with GUID like : Server.MapPath("~\\folder\\" + GUID). – Jeevan Bhatt Apr 09 '13 at 06:01
  • jeevan can you validate the GUID like below link http://stackoverflow.com/a/2370706/797528 – Chandru velan Apr 09 '13 at 06:16
  • thanks Chandu, but its not sure that it will be always a GUID it can be sub folder path. – Jeevan Bhatt Apr 09 '13 at 06:29
  • cretae a handler which will reject all the files with extensions which you do not want to be processed. – Chandru velan Apr 09 '13 at 06:43
  • Chandru: i have created custom httpModule and added logic there which is working acpected, now the issue is that its is working fine locally but not working on IIS6.1, do u have any idea on this? – Jeevan Bhatt Apr 10 '13 at 09:09

2 Answers2

2

This is not a CSRF attack. You may or may not have one of those as well - can't say.

It's a directory traversal attack.

we are creating a path with GUID like : Server.MapPath("~\folder\" + GUID)

Then that path can end up outside the ~\folder root by including 'go-up-a-directory' strings (..) in the GUID variable. Thus they may be able to access any file on your server's filesystem - not a good thing.

Before using user input in a filename, you need to check that the it is in the limited format you expect. As well as directory traversal attacks, there are some other odd things you can do with Windows filenames (like reserved names, invalid names, accidental UNC paths, unsupported Unicode characters etc), so you should use strict whitelist validation to ensure you only get names you expect.

For a real GUID, you'd want to do a validation against the regex:

[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}

Or if you've got .NET 4.5 you can use Guid.TryParse.

Also: if someone is actively trying to exploit this, and it's not someone in the company doing approved security testing, you've got problems and should be investigating where the attacks are coming from.

bobince
  • 528,062
  • 107
  • 651
  • 834
0

The best solution is to have a white-list folder names is either in database or XML file . Once you retrieve the querystring run it against the list to return TRUE and FALSE. If it is not the folder name then execute the logic of GUID pattern . I think it is not CSRF but XSS.

Devesh
  • 4,500
  • 1
  • 17
  • 28