Go read the vulnerability description now!
Basically – if your users upload files to your site and THEY specify file names, you’re vulnerable:
- IIS can execute any extension as an Active Server Page or any other executable extension.
For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file
uploaders protect the system by checking only the last section of the filename as its
extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
There’s an unchecked patch for this vulnerability, but again this shows that you just can’t allow any user input saved to your system without filtering.
So, if you allow file uploads – your script have to specify filenames, not users.
But unfortunately, tomatoi.st is down due to overload too often, so I spent 20 minutes and prepared a simple Windows 7 pomodoro gadget. It does just what’s needed – showing timers:
Click on “Work” button to start 25 minutes work interval, “short br” – to get 5 minutes short break timeout, “long br” for a 15 minutes long break.
It’s dead easy to download and install – just click here. Or you can inspect the code if you want to – gadget is just a zip file with html, css and js inside.
Ah, and I have to warn you – when a period of time is over, it starts playing Alert.wav every second until you set a new period.
For more information about Windows 7 gadgets you read the following posts on my blog:
- introduction to the gadgets platform
- Exploring Windows Desktop Gadgets
- Exploring Windows Desktop Gadgets #2 – security and limitations
- Exploring Windows Desktop Gadgets #3 – settings storage
- Exploring Windows Desktop Gadgets #4 – flyouts
Or read MSDN.
P.S. this gadget doesn’t have any settings or flyout or anything else – it’s very simple.