Microsoft KB Archive/312548

= FIX: QuickStart Source Viewer Enables User to Read Any Text File on the Host Server =

Article ID: 312548

Article Last Modified on 4/4/2003

-

APPLIES TO


 * Microsoft .NET Framework Software Development Kit 1.0 Service Pack 2
 * Microsoft .NET Framework Class Libraries 1.0

-



This article was previously published under Q312548



SYMPTOMS
The .NET Framework Software Development Kit (SDK) contains a source code viewer utility that enables a user to view any file on the host server.



CAUSE
The control accepts a path and a file in the query string and performs a simple string compare to determine if the file is valid. If you enter a valid path, and then type \..\..\ in the filename field, you can view any file on the host server.



RESOLUTION
The following workaround sets read-only permissions to the QuickStart directory and blocks everything else, including the following:
 * \QuickStart\Web.config
 * \QuickStart\Aspplus\Web.config
 * \QuickStart\Howto\Web.config
 * \QuickStart\Winforms\Web.config

You can install the QuickStart samples at C:\Program Files\Microsoft.NET\FrameworkSDK\Samples\QuickStart\.

Workaround
Perform the following code changes to work around the problem:   In the file \FrameworkSDK\Samples\QuickStart\Util\SrcView.aspx, replace: MySourceCtrl.filename = dir + &quot;\\&quot; + file; with: MySourceCtrl.filename = Path.Combine(dir, file);  In the file \FrameworkSDK\Samples\Quickstart\util\SrcCtrl.ascx:   Add the following line of code to the top of the file: <%@ Import Namespace=&quot;System.Security.Permissions&quot; %>   Change: Trace.Write(&quot;Security Check&quot;, &quot; &quot; + filename + &quot; contains &quot; + dir + &quot;? &quot;); Trace.Write(&quot;Security Check&quot;, String.Compare(filename, 0, dir, 0, dir.Length, true).ToString); Trace.Write(&quot;Security Check&quot;, &quot; &quot; + filename + &quot;==&quot; + dir + &quot;\\web.config&quot; + &quot;? &quot;); Trace.Write(&quot;Security Check&quot;, String.Compare(filename,dir + &quot;\\web.config&quot;,true).ToString);

if ((String.Compare(filename, 0, dir, 0, dir.Length, true)!=0)||(String.Compare(filename,dir + &quot;\\web.config&quot;,true)==0)) { Response.Write(err_message); return;

} to: // This step makes the filename canonical (removes any ..\..\). String fullFilename = new FileInfo(filename).FullName.ToLower;

// Set the file permissions so that only files in the QuickStart // directory can be accessed. FileIOPermission filePerms = new FileIOPermission(PermissionState.None); filePerms.AddPathList(FileIOPermissionAccess.Read, new String[]              {Path.Combine(dir, &quot;aspplus&quot;),                  Path.Combine(dir, &quot;winforms&quot;),                  Path.Combine(dir, &quot;howto&quot;)}); filePerms.AllFiles = FileIOPermissionAccess.NoAccess; filePerms.PermitOnly;

// Checks to make sure that the user cannot view the aspplus, winforms, // and howto web.configs. if((fullFilename.IndexOf(&quot;aspplus\\web.config&quot;) != -1) ||  (fullFilename.IndexOf(&quot;winforms\\web.config&quot;) != -1) ||   (fullFilename.IndexOf(&quot;howto\\web.config&quot;) != -1)) {    Response.Write(err_message); return; }                            

<div class="status_section">

STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This bug was corrected in Microsoft .NET Framework SDK 1.1 and the .NET Framework Class Libraries 1.1.

<div class="moreinformation_section">

Steps to Reproduce Behavior
 Install Visual Studio .NET or ASP.NET. to install the Framework SDK.</li> To install QuickStart, on the Start menu, point to Programs, point to Microsoft .NET Framework SDK, and then click Samples and QuickStart Tutorials.</li>  Browse to the following URL: http://<ComputerName>/quickstart/util/srcview.aspx?path=/quickstart/&file=/../../../../../boot.ini&font=3 </li> The text of your Boot.ini file appears in the browser window.</li></ol>

Additional query words: kbreadme

Keywords: kbbug kbfix kbsecurity kbsample KB312548

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.