December 7th 2010

Security Advisory: Please update MWPSK to version 1.3.1

We discovered that a critical security issue enables attackers to upload files to websites running MWPSK 1.3.0.

We rate the severity of the issue with HIGH and we are applying the Emergency operation procedure (Security Operation Procedures) in order to solve the problem and we invite everyone else to also act according to these recommendations. We have created them to cope with such an incident.

Please replace your current ftb.imagegallery.aspx in the root of the installation of MWPSK with the fixed one!

When will a solution for the problem be available?

The problem is solved in the latest version (1.3.1) of the starter kit.

What does this really mean for my installations?

Someone who knows about how to do it could potentially gain access to any data file stored as part of any MWPSK based website and upload his own files or overwrite them.

What can I do as a first measure to defend my website against such a hacker attack?

You should backup your site now by downloading the whole content of the \app_data folder to your local machine.
Then replace your existing ftb.imagegallery.aspx with the fixed one.

What if I’m using an earlier version of MWPSK 1.3.0?

Earlier versions than 1.3.0 do not contain the Free Text Box and are therefore not affected by this issue.

Last edited Dec 7, 2010 at 1:28 PM by MRAatFC, version 1

Comments

paro Oct 30, 2011 at 7:24 PM 
this fixed one can't solve the problem. for solve the problem
replace <script runat="server"> code of your ftb.imagegallery.aspx file with below code.
after then only authenticated your can upload file to you'r server,
but it doesn't fix problem completely because authenticated your can
upload any file to server.

any help please

<script runat="server">
protected override void OnLoad(EventArgs e)
{
string rif = Request.QueryString["rif"].ToLower();
string cif = Request.QueryString["cif"].ToLower();
string allowedBasePath = ResolveUrl("~/App_Data/UserImages/Image").ToLower();

if (! User.Identity.IsAuthenticated)
Response.Redirect("~/login.aspx");


if(!rif.StartsWith(allowedBasePath) || !cif.StartsWith(allowedBasePath) || rif.Contains("..") || rif.Contains(".."))
{
Response.Redirect("~/Default.aspx");
}
base.OnLoad(e);
}
</script>