Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Fortify Scan For Classic Asp Application - Issue

Status
Not open for further replies.

vamsikirank

Programmer
Sep 26, 2018
1
US
Hello All,

We have an classic asp application that has the below code to open up files.

Dim Connection

If fn_gblnCreateConnection(Connection) = false Then

Response.Redirect("../../Global/error.asp")

End if


Set RS = Connection.Execute(SQLStmt)

if RS.EOF then

fileName = default_filename

else

fileName = rtrim(ltrim(RS("content_file")))

end if


strTextFile = strFolder & fileName

'-- Create and Open File System Object

set fso = CreateObject("Scripting.FileSystemObject")

set bodyFile = fso_OpenTextFile(strTextFile)

strBodyText = bodyFile.readAll

Select Case Err.number

Case 0 'Do Nothing

Case Else

Response.Redirect(error_url)

End Select

strBodyTest = ucase(strBodyText)

if instr(strBodyTest,"<BODY") then

strBodyText = mid(strBodyText,instr(strBodyTest,"<BODY")+1,len(strBodyTest)-instr(strBodyTest,"<BODY"))

strBodyText = mid(strBodyText,instr(strBodyText,">")+1,len(strBodyText)-instr(strBodyTest,">"))

end if

if instr(strBodyTest,"</BODY") then

strBodyTest = ucase(strBodyText)

strBodyText = mid(strBodyText,1,instr(strBodyTest,"</BODY")-1)

end if

%>


We recently were asked to change the functionality to open files as there is a risk for attack. How do I change the code to make sure to prevent attacks
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top