System Folder Classic ASP Vulnerability?

Question

While I was on my site I mistyped a symbol and the page came back with a "error(?)."

browse.asp?A=0000 <-- That is the folder, I placed a backwards slash at.

Here is my issue, when that happened this is what appeared "System Folder - Do Not Delete" is this a vulnerability(?) or is this just a error nothing to really worry about?

Answer 1

This could be a directory traversal vulnerability.

This is when a malicious user can enter .. or / characters to a parameter that your application uses to locate a file. This can be more tricky than expected to defend against, as filtering the .. and / characters may not always be enough. Attacks can bypass the filters of certain languages by double encoding these characters or swapping / for \ or by passing null bytes (%00) or a combination of these thereof.

To defend against this your page should check the following (in order).

• Fully decode and then canonicalize the directory parameter value before checking for /, \ and null bytes. If the parameter value contains any, you should fail with an error (do not attempt to try and "clean" the parameter as the sanitization routine could be something for the attacker to attempt to bypass). e.g. /bar/../foo.jpg should be normalised as foo.jpg as the .. characters are moving the current directory outside of the bar directory. Basically you are attempting to create a single normalized path for each file that can be referenced by your parameter so you can compare like for like.
• The application should use a hard-coded list of permissible file types and reject any request for a different type.
• A file system function should verify the directory name and check that it is the same as the application is expecting to access the file within (this would be the GetAbsolutePathName function in ASP).

Have a look at this article for more information: How to test for directory (path) traversal.