3

The Nessus Vulnerability Scanner was run against a legacy code website. There's a lot of advice about how to prevent null byte injection attacks with PHP but I cannot find anything about fixing this in classic ASP with VBScript.

Here's the scanner's attack on our public site:

http://www.mortgagedataweb.com/mds/marketshare/ParmsV2.asp?Menu=%00<"kzwezl%20>

I've tried to add validity checking to the QueryString input but my efforts have not worked. Something about the %00 results in masking my attempts to check for proper values. Here are some relevant code snippets:

Function getUserInput(input)    
    Dim newString
    If Len(input) = 0 Then
        getUserInput = ""
        Exit Function
    End If
    newString = input        'this was omitted in original post but was in fact in the code
    newString = Replace(newString, Chr(0), "")  'I thought this would fix it !  
    newString = Replace(newString, "--", "")
    newString = Replace(newString, ";", "")          
    newString = Replace(newString, Chr(34),"'") 
    newString = Replace(newString, "'", "") 
    newString = Replace(newString, "=", "=") 
    newString = Replace(newString, "(", "[") 
    newString = Replace(newString, ")", "]")
    newString = Replace(newString, "'", "''")
    newString = Replace(newString, "<", "[")
    newString = Replace(newString, ">", "]")  
    newString = Replace(newString, "/*", "/") 
    newString = Replace(newString, "*/", "/")
    getUserInput = newString
End Function

implied_Menu = UCase(getUserInput(Request.QueryString("Menu")))  'store Menu value for Fast-Path link
Select Case implied_Menu
    Case "FHA_ZP", "C_ZP", "J_ZP", "F_ZP"
        implied_SQLName = MARKETSHAREZip
    Case "P_ALL", "P_MA", "P_ST", "P_ZP", "P_CT", "P_NATION"
        implied_SQLName = PMIMARKETSHARE
    Case "FHA_ALL_D", "FHA_MA_D", "FHA_ST_D", "FHA_CT_D", "FHA_ZP_D", "FHA_NATION_D"
        implied_SQLName = FHAMARKETSHAREDETAILS
    Case ""
        implied_SQLName = MARKETSHARE
    Case Else
        Response.Write("<h2>Invalid Menu parameter</h2>")
        Response.End
End Select

The Menu values that are proper are either:

  • totally missing (that is, Menu= is not in the QueryString)
  • part of series of valid values as sketched in the Select Case logic above

On my development machine, I can change %00 to %0 and have the error flagged with the Response.Write message then Response.End, but something about the %00 gets past my attempts to check it.

John Adams
  • 4,773
  • 25
  • 91
  • 131
  • 4
    You have not assigned any value to the `newString` before replace. – Kul-Tigin Nov 03 '16 at 08:56
  • Like @Kul-Tigin says you need to assign `input` to `newString` before you start calling `Replace()` on `newString` or you'll be replacing nothing. – user692942 Nov 03 '16 at 10:33
  • 1
    I made a mistake in pasting code into the original post. The assignment of input value to newString was in fact in the code but failed to make it properly into this original post. Problem still exists. – John Adams Nov 03 '16 at 16:57

1 Answers1

2

I would suggest to handle this with a reqular expression:

function getUserInput(sInput)
    Dim obj_regex
    Set obj_regex = New RegExp

    obj_regex.IgnoreCase = true
    obj_regex.Global = true
    obj_regex.Pattern = "\W"

    getUserInput = obj_regex.Replace(sInput, "")
    set obj_regex = Nothing
end function

Since all your menu entries are only alphanumeric characters and underscore, you can replace every other character.

gpinkas
  • 2,291
  • 2
  • 33
  • 49