Solved

A cross-site and a file canonicalization problems

Posted on 2011-03-04
2
1,772 Views
Last Modified: 2012-05-11
Hi. I'm analyzing my code C# with CAT.NET Code Analysis and getting "Sanitize the file path prior to passing it to file system routines" message for File.Move(Path + "\\...

and a cross-site redirection vulnerability “Do not allow off-site redirections to absolute URLs that can be specified by the user” for  Response.Redirect("file:" + Path + "\\...

Is there any solution to these problem?  Thanks!

protected void Button1_Click(object sender, EventArgs e)
{
 if (FileExt == "aa")
 {
   if (ListBox1.SelectedValue == "")
   {
     Response.Redirect("Page1.aspx");
   }
   else
   {
Response.Redirect("file:" + Path + "\\filepath_aa\\" + Status + "\\" + ListBox1.SelectedValue);
   }
 }
 else if (FileExt == "bb")
 {
   if (ListBox1.SelectedValue == "")
   {
     Response.Redirect("Page1.aspx");
   }
   else
   {
Response.Redirect("file:" + Path + "\\filepath_bb\\" + Status + "\\" + ListBox1.SelectedValue);
   }
 }
}

protected void Button2_Click(object sender, EventArgs e)
{
 if (FileExt == "aa")
 {
  if (Status == "New")
  {
   if (ListBox1.SelectedValue == "")
   {
     Response.Redirect("Page1.aspx");
   }
   else
   {
File.Move(Path + "\\filepath_aa\\New\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\New\\New_Items\\" + ListBox1.SelectedValue);
   }
  }
  else if (Status == "Closed")
  {
   if (ListBox1.SelectedValue == "")
   {
     Response.Redirect("Page1.aspx");
   }
   else
   {
File.Move(Path + "\\filepath_aa\\Closed\\" + ListBox1.SelectedValue, Path + "\\filepath_aa\\Closed\\Closed_Items\\" + ListBox1.SelectedValue);
    }
   }…
0
Comment
Question by:avi7
2 Comments
 
LVL 23

Accepted Solution

by:
wdosanjos earned 500 total points
ID: 35041401
I think your ListBox1.SelectedValue variable is causing the problem.

Try validating ListBox1.SelectedValue against the list used to populate it.  This is to garantee that the user did not temper with the values.  Maybe something like this:

Dim validValues As HashSet(Of String)
Dim selectedValue As String

selectedValue = validValues(ListBox1.SelectedValue)

...

Response.Redirect("file:" + Path + "\\filepath_aa\\" + Status + "\\" + selectedValue);

Open in new window


If Path and Status also come from user input they need to be validated also.

I hope this helps.
0
 

Author Closing Comment

by:avi7
ID: 35047053
Thanks!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Access properties in nested observable collections 8 23
WKHTMLTOPDF - --disable-smart-shrinking not working 10 36
Not showing page correctly 3 30
Turn on intranet settings 1 39
Article by: Najam
Having new technologies does not mean they will completely replace old components.  Recently I had to create WCF that will be called by VB6 component.  Here I will describe what steps one should follow while doing so, please feel free to post any qu…
Introduction Hi all and welcome to my first article on Experts Exchange. A while ago, someone asked me if i could do some tutorials on object oriented programming. I decided to do them on C#. Now you may ask me, why's that? Well, one of the re…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now