<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Oh wonderful, it's called remote file
      inclusion.<br>
      I suspected that much, but I didn't bother to address it, <br>
      because I didn't publish the sources and internal config files -
      up until today.<br>
      <br>
      So with you having mentioned it for all script kiddies to see -
      site taken down until validation is added.<br>
      Before that, I quickly checked - one can access files below the
      root directory of the web application.<br>
      <br>
      Isn't this a mono-bug, too ?<br>
      Because I think I remember me having done this once on a test or
      production server, and it gave a wonderful YSOD on IIS.<br>
      <br>
      <br>
      <br>
      <br>
      <br>
      On 02/03/2013 11:45 AM, Daniel Lo Nigro wrote:<br>
    </div>
    <blockquote
cite="mid:CAB1r_+Uf0A+o0o9qsnqp6JnMdDPqBhpS61ffKSTqg+RPJ=HAzQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">That does look like a bug with how Mono handles
        TransmitFile - I suggest reporting it as a bug in Xamarin
        Bugzilla (report it under the System.Web component).
        <div><br>
        </div>
        <div style="">Also FYI it's probably best if you pull down those
          pages for now; you're not validating the "myfile" parameter so
          it's open to a <a moz-do-not-send="true"
            href="http://en.wikipedia.org/wiki/Remote_file_inclusion">Remote
            File Inclusion</a> vulnerability.</div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Sun, Feb 3, 2013 at 9:38 PM,
          quandary <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:quandary82@hailmail.net" target="_blank">quandary82@hailmail.net</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <div>Yep, indeed that sounds like that.<br>
                And I just tested.<br>
                Added WriteFile.ashx and Transmit.ashx<br>
                <br>
                and testet with<br>
                <a moz-do-not-send="true"
                  href="http://www.daniel-steiger.ch/WriteFile.ashx"
                  target="_blank">http://www.daniel-steiger.ch/WriteFile.ashx</a><br>
                <a moz-do-not-send="true"
                  href="http://www.daniel-steiger.ch/Transmit.ashx"
                  target="_blank">http://www.daniel-steiger.ch/Transmit.ashx</a><br>
                and<br>
                <a moz-do-not-send="true"
                  href="http://www.daniel-steiger.ch/WriteFile.ashx?myfile=avatar100.png"
                  target="_blank">http://www.daniel-steiger.ch/WriteFile.ashx?myfile=avatar100.png</a><br>
                <a moz-do-not-send="true"
                  href="http://www.daniel-steiger.ch/Transmit.ashx?myfile=avatar100.png"
                  target="_blank">http://www.daniel-steiger.ch/Transmit.ashx?myfile=avatar100.png</a><br>
                <br>
                <br>
                It seems the bug is in Response.TransmitFile for files
                of any size <br>
                (also for avatar100.png, which is only 4.3 kb)<br>
                <br>
                so to summarize, there is a rather bad-natured bug in <br>
                Class: System.Web.HttpResponse<br>
                Method: TransmitFile(string filename)<br>
                <br>
                <br>
                This is the transmit-handler code:<br>
                 <br>
                using System; <br>
                using System.Collections.Generic; <br>
                using System.Linq; <br>
                using System.Web; <br>
                 <br>
                namespace Homepage <br>
                { <br>
                    /// <summary> <br>
                    /// Zusammenfassungsbeschreibung für Transmit <br>
                    /// </summary> <br>
                    public class Transmit : IHttpHandler <br>
                    { <br>
                 <br>
                        public void ProcessRequest(HttpContext context)
                <br>
                        { <br>
                            string strFile =
                context.Request.Params["myfile"]; <br>
                 <br>
                            if (string.IsNullOrEmpty(strFile)) <br>
                                strFile = "001.jpg"; <br>
                 <br>
                            string strNetPath =
                string.Format("~/Content/images/gallery/{0}", strFile);
                <br>
                            string strFileNameAndPath =
                context.Server.MapPath(strNetPath); <br>
                 <br>
                            context.Response.Clear(); <br>
                            context.Response.ContentType = "image/jpeg";
                <br>
                           
                context.Response.TransmitFile(strFileNameAndPath); <br>
                        } <br>
                 <br>
                        public bool IsReusable <br>
                        { <br>
                            get <br>
                            { <br>
                                return false; <br>
                            } <br>
                        } <br>
                    } <br>
                 <br>
                }<br>
                <br>
                <br>
                <br>
                Regards<br>
                <br>
                Stefan
                <div>
                  <div class="h5"><br>
                    <br>
                    <br>
                    <br>
                    <br>
                    On 02/03/2013 06:14 AM, Daniel Lo Nigro wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div class="h5">
                  <blockquote type="cite">
                    <div dir="ltr">That sounds like chunked encoding,
                      Wikipedia says (<a moz-do-not-send="true"
                        href="http://en.wikipedia.org/wiki/Chunked_transfer_encoding"
                        target="_blank">http://en.wikipedia.org/wiki/Chunked_transfer_encoding</a>):<br>
                      <i>Each chunk starts with the<b> number of octets
                          of the data it embeds expressed in hexadecimal</b>
                        followed by optional parameters (chunk
                        extension) and a <b>terminating CRLF sequence</b>,
                        followed by the chunk data. The chunk is
                        terminated by CRLF. If chunk extensions are
                        provided, the chunk size is terminated by a
                        semicolon followed with the extension name and
                        an optional equal sign and value.</i>
                      <div> <br>
                      </div>
                      <div>Which is exactly what you're saying. I wonder
                        if something is not being done correctly with
                        files as large as the ones you're using. Since
                        you said it works for thumbnails, I assume it's
                        working for smaller files.</div>
                      <div><br>
                      </div>
                      <div>Try Response.WriteFile or
                        Response.TransmitFile in a standard <a
                          moz-do-not-send="true" href="http://ASP.NET"
                          target="_blank">ASP.NET</a> handler (.ashx)
                        and see if they also don't work.</div>
                      <div><br>
                      </div>
                      <blockquote class="gmail_quote" style="margin:0px
                        0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span
style="font-family:arial,sans-serif;font-size:13px">All traffic to that
                          URL [</span><a moz-do-not-send="true"
                          href="http://www.daniel-steiger.ch/"
                          style="font-family:arial,sans-serif;font-size:13px"
                          target="_blank">www.daniel-steiger.ch</a><span
style="font-family:arial,sans-serif;font-size:13px">] (except for the
                          folders /doc and /images), but including
                          images in /Content, is directly forwarded to
                          fastcgi by nginx, as per fastcgi config file
                          for domain.</span></blockquote>
                      <div><span
                          style="font-family:arial,sans-serif;font-size:13px">I'd

                          still suggest letting Nginx serve your static
                          files. Just because the site is low-traffic
                          doesn't mean that little performance tweaks
                          aren't good :). I do something like this:</span></div>
                      <div>
                        <div><font face="courier new, monospace">location
                            / {</font></div>
                        <div><span> </span><font face="courier new,
                            monospace"># Pass requests for unknown files
                            to Mono<br>
                          </font></div>
                        <div><font face="courier new, monospace"><span
                              style="white-space:pre-wrap"> </span>try_files
                            $uri @mono;</font></div>
                        <div><font face="courier new, monospace">}</font></div>
                        <div><font face="courier new, monospace"><br>
                          </font></div>
                        <div><font face="courier new, monospace">location
                            @mono {</font></div>
                        <div><font face="courier new, monospace"><span
                              style="white-space:pre-wrap"> </span>#
                            Put all your Mono config here</font></div>
                        <div><font face="courier new, monospace">}</font></div>
                        <div><font face="arial, sans-serif">My full site
                            config is at </font><a
                            moz-do-not-send="true"
                            href="https://github.com/Daniel15/Website/blob/master/nginx.conf"
                            target="_blank">https://github.com/Daniel15/Website/blob/master/nginx.conf</a></div>
                        <div><font face="arial, sans-serif"><br>
                          </font></div>
                      </div>
                    </div>
                    <div class="gmail_extra"><br>
                      <br>
                      <div class="gmail_quote">On Sun, Feb 3, 2013 at
                        4:00 PM, SirNoSkill <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:quandary82@hailmail.net"
                            target="_blank">quandary82@hailmail.net</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div>
                            <div>I have more details on the bug.<br>
                            </div>
                            <div>The extra bytes that are at the
                              beginning <br>
                            </div>
                            <pre><code><span>31 </span><span></span><span>39 </span><span></span><span>36 </span><span></span><span>62 </span><span></span><span>36 </span><span></span><span>38 </span><span></span><span>0D </span><span></span><span>0A</span></code>

</pre>
                            <div><code><span></span><span></span></code>which
                              reads <span><span><span>196b68/r/n in
                                    ASCII</span></span></span><br>
                            </div>
                            <div><span>196b68 </span>is the filesize of
                              the original image in hex...<br>
                            </div>
                            <div> </div>
                            <div>All details + hexdump links added here:<br>
                            </div>
                            <div><a moz-do-not-send="true"
href="http://stackoverflow.com/questions/14662795/why-do-i-have-unwanted-extra-bytes-at-the-beginning-of-image"
                                target="_blank">http://stackoverflow.com/questions/14662795/why-do-i-have-unwanted-extra-bytes-at-the-beginning-of-image</a><br>
                            </div>
                            <div> </div>
                            <div> </div>
                            <div> </div>
                            <div>All traffic to that URL [<a
                                moz-do-not-send="true"
                                href="http://www.daniel-steiger.ch"
                                target="_blank">www.daniel-steiger.ch</a>]
                              (except for the folders /doc and /images),
                              but including images in /Content, is
                              directly forwarded to fastcgi by nginx, as
                              per fastcgi config file for domain.<br>
                            </div>
                            <div> </div>
                            <div> </div>
                            <div> server {<br>
                            </div>
                            <div>         listen   80;<br>
                            </div>
                            <div>         server_name <a
                                moz-do-not-send="true"
                                href="http://www.daniel-steiger.ch"
                                target="_blank">www.daniel-steiger.ch</a>
                              <a moz-do-not-send="true"
                                href="http://daniel-steiger.ch"
                                target="_blank">daniel-steiger.ch</a>;<br>
                            </div>
                            <div>         access_log  
                              /var/log/nginx/daniel-steiger.ch.access.log;<br>
                            </div>
                            <div> </div>
                            <div>         location / {<br>
                            </div>
                            <div>                 root
                              /home/danillo/www/HomePage;<br>
                            </div>
                            <div>                 #index index.html
                              index.htm default.aspx Default.aspx;<br>
                            </div>
                            <div>                 #fastcgi_index
                              Default.aspx;<br>
                            </div>
                            <div>                 fastcgi_pass <a
                                moz-do-not-send="true"
                                href="http://127.0.0.1:9000"
                                target="_blank">127.0.0.1:9000</a>;<br>
                            </div>
                            <div>                 include
                              /etc/nginx/fastcgi_params;<br>
                            </div>
                            <div>         }<br>
                            </div>
                            <div> </div>
                            <div> </div>
                            <div><span></span>location /doc {<br>
                            </div>
                            <div><span></span>root /usr/share;<br>
                            </div>
                            <div><span></span>autoindex on;<br>
                            </div>
                            <div><span></span>allow 127.0.0.1;<br>
                            </div>
                            <div><span></span>deny all;<br>
                            </div>
                            <div><span></span>}<br>
                            </div>
                            <div> </div>
                            <div><span></span>location /images {<br>
                            </div>
                            <div><span></span>root /usr/share;<br>
                            </div>
                            <div><span></span>autoindex off;<br>
                            </div>
                            <div><span></span>}<br>
                            </div>
                            <div> </div>
                            <div><span></span>#error_page 404 /404.html;<br>
                            </div>
                            <div> </div>
                            <div><span></span># redirect server error
                              pages to the static page /50x.html<br>
                            </div>
                            <div><span></span>#<br>
                            </div>
                            <div><span></span>error_page 500 501 503 504
                              /50x.html;<br>
                            </div>
                            <div><span></span>location = /50x.html {<br>
                            </div>
                            <div><span></span>root
                              /home/danillo/www/HomePage;<br>
                            </div>
                            <div><span></span>}<br>
                            </div>
                            <div> </div>
                            <div> </div>
                            <div><span></span>error_page 502 /502.html;<br>
                            </div>
                            <div><span></span>location = /502.html {<br>
                            </div>
                            <div><span></span>root
                              /home/danillo/www/HomePage;<br>
                            </div>
                            <div><span></span>}<br>
                            </div>
                            <div> </div>
                            <div>}<br>
                            </div>
                            <div> </div>
                            <div> </div>
                            <div>It's sufficient to have the file served
                              without FileResult.</div>
                            <div>Of course it's more efficient if nginx
                              serves it directly, but this is a very low
                              traffic website, so performance is really
                              not my problem ;)<br>
                            </div>
                            <div> </div>
                            <div>And by the way, the problem is not
                              finding a workaround.<br>
                            </div>
                            <div> I have already fixed it with a
                              workaround about a week ago.<br>
                            </div>
                            <div>I really just want to know where the
                              bug is, because if FileResult
                              malfunctions, there's probably more to it,
                              and I don't want to walk into a subtle not
                              at the first sight spottable bug later,
                              like a botched binary upload/download
                              file.</div>
                            <div>
                              <div>
                                <div> </div>
                                <div> </div>
                                <div> </div>
                                <div> </div>
                                <div> </div>
                                <div>On Sat, Feb 2, 2013, at 06:51 AM,
                                  Daniel Lo Nigro wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr">Hmm... Maybe try an
                                    X-Accel-Redirect header instead.
                                    This lets Nginx serve the file
                                    instead of Mono having to serve it,
                                    which makes it more efficient. See
                                    if that makes a difference, or if it
                                    has the same issue.
                                    <div>  </div>
                                    <div>Why not just link directly to
                                      the file, instead of serving it
                                      through your C# code?<br>
                                    </div>
                                  </div>
                                  <div class="gmail_extra">
                                    <div> </div>
                                    <div> </div>
                                    <div class="gmail_quote">
                                      <div>On Sun, Feb 3, 2013 at 1:43
                                        AM, quandary82 <span dir="ltr"><<a
                                            moz-do-not-send="true"
                                            href="mailto:quandary82@hailmail.net"
                                            target="_blank">quandary82@hailmail.net</a>></span>
                                        wrote:<br>
                                      </div>
                                      <blockquote class="gmail_quote"
                                        style="margin:0 0 0
                                        .8ex;border-left:1px #ccc
                                        solid;padding-left:1ex">
                                        <div>Corrected the mime, but
                                          seems to be a mono-bug (or
                                          fastcgi) anyway.<br>
                                        </div>
                                        <div> </div>
                                        <div> More here:<br>
                                        </div>
                                        <div><a moz-do-not-send="true"
href="http://stackoverflow.com/questions/14662795/why-do-i-have-unwanted-extra-bytes-at-the-beginning-of-image"
                                            target="_blank">http://stackoverflow.com/questions/14662795/why-do-i-have-unwanted-extra-bytes-at-the-beginning-of-image</a><br>
                                        </div>
                                        <div> </div>
                                        <div> </div>
                                        <div> </div>
                                        <div> --<br>
                                        </div>
                                        <div> View this message in
                                          context: <a
                                            moz-do-not-send="true"
href="http://mono.1490590.n4.nabble.com/Bug-in-mono-3-0-1-MVC3-File-FileResult-tp4658382p4658422.html"
                                            target="_blank">http://mono.1490590.n4.nabble.com/Bug-in-mono-3-0-1-MVC3-File-FileResult-tp4658382p4658422.html</a><br>
                                        </div>
                                        <div> Sent from the Mono - Dev
                                          mailing list archive at
                                          Nabble.com.<br>
                                        </div>
                                        <div>
                                          <div>_______________________________________________<br>
                                          </div>
                                          <div> Mono-devel-list mailing
                                            list<br>
                                          </div>
                                          <div><a moz-do-not-send="true"
href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.ximian.com</a><br>
                                          </div>
                                          <div><a moz-do-not-send="true"
href="http://lists.ximian.com/mailman/listinfo/mono-devel-list"
                                              target="_blank">http://lists.ximian.com/mailman/listinfo/mono-devel-list</a><br>
                                          </div>
                                        </div>
                                      </blockquote>
                                    </div>
                                  </div>
                                </blockquote>
                                <div> </div>
                              </div>
                            </div>
                            <span><font color="#888888">
                                <div>-- <br>
                                </div>
                                <div> SirNoSkill<br>
                                </div>
                                <div> <a moz-do-not-send="true"
                                    href="mailto:quandary82@hailmail.net"
                                    target="_blank">quandary82@hailmail.net</a><br>
                                </div>
                                <pre>-- 
<a moz-do-not-send="true" href="http://www.fastmail.fm" target="_blank">http://www.fastmail.fm</a> - mmm... Fastmail...
</pre>
                              </font></span></div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>