FIX: QuickStart Source Viewer Enables User to Read Any Text File on the Host Server (312548)


The information in this article applies to:

  • Microsoft .NET Framework SDK 1.0
  • Microsoft .NET Framework Class Libraries 1.0
This article was previously published under Q312548

SYMPTOMS

The .NET Framework Software Development Kit (SDK) contains a source code viewer utility that enables a user to view any file on the host server.

CAUSE

The control accepts a path and a file in the query string and performs a simple string compare to determine if the file is valid. If you enter a valid path, and then type \..\..\ in the filename field, you can view any file on the host server.

RESOLUTION

The following workaround sets read-only permissions to the QuickStart directory and blocks everything else, including the following:
  • \QuickStart\Web.config
  • \QuickStart\Aspplus\Web.config
  • \QuickStart\Howto\Web.config
  • \QuickStart\Winforms\Web.config
You can install the QuickStart samples at C:\Program Files\Microsoft.NET\FrameworkSDK\Samples\QuickStart\.

Workaround

Perform the following code changes to work around the problem:
  1. In the file \FrameworkSDK\Samples\QuickStart\Util\SrcView.aspx, replace: 
    MySourceCtrl.filename = dir + "\\" + file;
    with:
    MySourceCtrl.filename = Path.Combine(dir, file);
  2. In the file \FrameworkSDK\Samples\Quickstart\util\SrcCtrl.ascx:
    • Add the following line of code to the top of the file:
      <%@ Import Namespace="System.Security.Permissions" %>
    • Change:
      Trace.Write("Security Check", "<p>" + filename + " contains " + dir + "? ");
Trace.Write("Security Check", String.Compare(filename, 0, dir, 0, dir.Length, true).ToString());
Trace.Write("Security Check", "<p>" + filename + "==" + dir + "\\web.config" + "? ");
Trace.Write("Security Check", String.Compare(filename,dir + "\\web.config",true).ToString());

if ((String.Compare(filename, 0, dir, 0, dir.Length, true)!=0)||(String.Compare(filename,dir + "\\web.config",true)==0)) {
                 Response.Write(err_message);
                 return;

}
      to: 
      // This step makes the filename canonical (removes any ..\..\).
String fullFilename = new FileInfo(filename).FullName.ToLower();

// Set the file permissions so that only files in the QuickStart
// directory can be accessed.
FileIOPermission filePerms = new FileIOPermission(PermissionState.None);
filePerms.AddPathList(FileIOPermissionAccess.Read, new String[]
               {Path.Combine(dir, "aspplus"), 
                 Path.Combine(dir, "winforms"), 
                 Path.Combine(dir, "howto")});
filePerms.AllFiles = FileIOPermissionAccess.NoAccess;
filePerms.PermitOnly();

// Checks to make sure that the user cannot view the aspplus, winforms,
// and howto web.configs.
if((fullFilename.IndexOf("aspplus\\web.config") != -1) ||
   (fullFilename.IndexOf("winforms\\web.config") != -1) ||
   (fullFilename.IndexOf("howto\\web.config") != -1))
    {
     Response.Write(err_message);
     return;
    }

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This bug was corrected in Microsoft .NET Framework SDK 1.1 and the .NET Framework Class Libraries 1.1.

MORE INFORMATION

Steps to Reproduce Behavior

  1. Install Visual Studio .NET or ASP.NET. to install the Framework SDK.
  2. To install QuickStart, on the Start menu, point to Programs, point to Microsoft .NET Framework SDK, and then click Samples and QuickStart Tutorials.
  3. Browse to the following URL:
    http://<ComputerName>/quickstart/util/srcview.aspx?path=/quickstart/&file=/../../../../../boot.ini&font=3
  4. The text of your Boot.ini file appears in the browser window.
Modification Type:MajorLast Reviewed:4/4/2003
Keywords:kbfix kbSample kbbug kbSecurity KB312548 kbAudDeveloper
©2002 Microsoft Corporation. All rights reserved.