Fortify Scan For Classic Asp Application - Issue

[vamsikirank]

Hello All,

We have an classic asp application that has the below code to open up files.

Dim Connection

If fn_gblnCreateConnection(Connection) = false Then

Response.Redirect("../../Global/error.asp")

End if


Set RS = Connection.Execute(SQLStmt)

if RS.EOF then

fileName = default_filename

else

fileName = rtrim(ltrim(RS("content_file")))

end if


strTextFile = strFolder & fileName

'-- Create and Open File System Object

set fso = CreateObject("Scripting.FileSystemObject")

set bodyFile = fspenTextFile(strTextFile)

strBodyText = bodyFile.readAll

Select Case Err.number

Case 0 'Do Nothing

Case Else

Response.Redirect(error_url)

End Select

strBodyTest = ucase(strBodyText)

if instr(strBodyTest,"<BODY") then

strBodyText = mid(strBodyText,instr(strBodyTest,"<BODY")+1,len(strBodyTest)-instr(strBodyTest,"<BODY"))

strBodyText = mid(strBodyText,instr(strBodyText,">")+1,len(strBodyText)-instr(strBodyTest,">"))

end if

if instr(strBodyTest,"</BODY") then

strBodyTest = ucase(strBodyText)

strBodyText = mid(strBodyText,1,instr(strBodyTest,"</BODY")-1)

end if

%>


We recently were asked to change the functionality to open files as there is a risk for attack. How do I change the code to make sure to prevent attacks

 

[guitarzan]

What kind of attack would you like to prevent?

 

[guitarzan]

Also don't cross-post without telling all sites where else you posted. It's rude.

https://forums.iis.net/t/1239530.aspx