<% '=========================================================================== ' Module: inc_pagekey.asp ' ' Synopsis: Contains checks and helper functions related to page keys, which ' are used to validate that requests originated from other pages ' within the admin web site. ' ' Copyright (c) Microsoft Corporation. All rights reserved. '=========================================================================== On Error Resume Next ' ' Constants ' Const SAI_FLD_PAGEKEY = "__SAPageKey" Const SAI_FLD_ERRORSTRING1 = "__SAPageKeyError1" Const SAI_FLD_ERRORSTRING2 = "__SAPageKeyError2" Const SAI_FLD_ERRORSTRING3 = "__SAPageKeyError3" Const SAI_FLD_ERRORTITLE = "__SAPageKeyErrorTitle" Const SAI_FLD_BUTTONTEXT = "__SAPageKeyButtonText" Const SAI_STR_E_UNEXPECTED = "An unexpected problem occurred. Restart the server. If the problem persists, you might need to repair your operating system." Const SAI_PK_E_UNAUTHORIZED = 1 Const SAI_PK_E_UNEXPECTED = 2 Dim SAI_PK_strServerName SAI_PK_strServerName = Request.ServerVariables("SERVER_NAME") ' ' Set the Language ID for this session based on the browser language ' Call SetLCID () ' ' Set CodePage for the Server, this will always be UTF-8 ' Session.CodePage = 65001 Response.CharSet = "utf-8" ' ' Check for error display requests before normal processing. Note that ' all localized strings were passed from the caller, so we don't need to ' retrieve them ourselves. ' If ("POST" = Request.ServerVariables("REQUEST_METHOD")) Then If (1 = Request.Form(SAI_FLD_ERRORSTRING1).Count) Then ' ' Display the error and end the request. ' Call SAI_DisplayPageKeyError() Response.End End If End If ' ' Localized strings ' Dim L_PK_ERRORTITLE_TEXT L_PK_ERRORTITLE_TEXT = SA_GetLocString("sacoremsg.dll", "40201388", "") Dim L_PK_CLOSEBUTTON_TEXT L_PK_CLOSEBUTTON_TEXT = SA_GetLocString("sacoremsg.dll", "40201389", "") Dim L_PK_UNAUTHORIZEDLINE1_TEXT L_PK_UNAUTHORIZEDLINE1_TEXT = SA_GetLocString("sacoremsg.dll", "C020138A", _ Array(SAI_PK_strServerName)) Dim L_PK_UNAUTHORIZEDLINE2_TEXT L_PK_UNAUTHORIZEDLINE2_TEXT = SA_GetLocString("sacoremsg.dll", "C020138B", _ Array(SAI_PK_strServerName)) Dim L_PK_UNAUTHORIZEDLINE3_TEXT L_PK_UNAUTHORIZEDLINE3_TEXT = SA_GetLocString("sacoremsg.dll", "C020138C", "") Dim L_PK_UNEXPECTED_TEXT L_PK_UNEXPECTED_TEXT = SA_GetLocString("sacoremsg.dll", "C020138D", "") If (0 = Len(L_PK_UNEXPECTED_TEXT) Or _ "C020138D" = L_PK_UNEXPECTED_TEXT) Then L_PK_UNEXPECTED_TEXT = SAI_STR_E_UNEXPECTED End If '--------------------------------------------------------------------------- ' ' Function: SAI_GetPageKey ' ' Synopsis: Gets the key associated with the current user for this ' session. If no key has yet been assigned, a new one is ' generated, stored, and returned. ' ' Arguments: None. ' ' Returns: The key or "" if none could be found or generated. ' '--------------------------------------------------------------------------- Function SAI_GetPageKey() On Error Resume Next SAI_GetPageKey = "" ' ' If we have already assigned a key to this session, get that. ' If (Not IsEmpty(Session(SAI_FLD_PAGEKEY))) Then SAI_GetPageKey = Session(SAI_FLD_PAGEKEY) Else ' ' No existing key. Generate a new one. ' Dim oCryptRandom Set oCryptRandom = Server.CreateObject("COMhelper.CryptRandom") Dim strNewKey strNewKey = oCryptRandom.GetRandomHexString(16) ' 128 bits If (Err.number <> 0) Then Call SAI_ReportPageKeyError(SAI_PK_E_UNEXPECTED) Exit Function End If Session(SAI_FLD_PAGEKEY) = strNewKey SAI_GetPageKey = strNewKey End If End Function '--------------------------------------------------------------------------- ' ' Sub: SAI_VerifyPageKey ' ' Synopsis: Gets the key associated with the current user for this ' session and compares it to the received key. Delivers the ' correct error and ends the response if the received key ' is not valid. ' ' Arguments: strReceivedKey: The key received from the client. ' '--------------------------------------------------------------------------- Sub SAI_VerifyPageKey(strReceivedKey) ' ' Check for session timeout. If we received a key, but we haven't yet ' generated one, our best guess is that the received key is from an old ' session that timed out. ' If ("" <> strReceivedKey And IsEmpty(Session(SAI_FLD_PAGEKEY))) Then Call SAI_ReportPageKeyError(SAI_PK_E_UNAUTHORIZED) Exit Sub End If ' ' Get the expected key. Fail the request if this step fails. ' Dim strExpectedKey strExpectedKey = SAI_GetPageKey() If ("" = strExpectedKey) Then Call SAI_ReportPageKeyError(SAI_PK_E_UNEXPECTED) Exit Sub End If ' ' Compare the expected key to the key we received. ' If (strExpectedKey <> strReceivedKey) Then Call SAI_ReportPageKeyError(SAI_PK_E_UNAUTHORIZED) Exit Sub End If End Sub '---------------------------------------------------------------------------- ' ' Function : getBroswerLanguage ' ' Synopsis : Serves in getting Browser Default Language ID ' ' Arguments: None ' ' Returns : ISO 693 name ' '---------------------------------------------------------------------------- Function getBrowserLanguage Err.Clear Dim strAcceptLanguage Dim iPos strAcceptLanguage = Request.ServerVariables("HTTP_ACCEPT_LANGUAGE") iPos = InStr(1, strAcceptLanguage, ",") If iPos > 0 Then strAcceptLanguage = Left(strAcceptLanguage, iPos - 1) End If getBrowserLanguage = LCase(strAcceptLanguage) End Function '--------------------------------------------------------------------------- ' ' Sub: SAI_ReportPageKeyError ' ' Synopsis: Ends the session (to prevent attackers from repeatedly ' attempting to compromise the same key value), and outputs ' a hidden form that will be submitted back to this page. ' The form contains the various error strings to display and ' the button text to use if a close button is desired. The ' response is then ended to prevent any other code from ' executing. ' ' Arguments: nError: The error code. The correct localized strings will ' be output to the form. ' '--------------------------------------------------------------------------- Sub SAI_ReportPageKeyError(nError) On Error Resume Next If (nError <> SAI_PK_E_UNAUTHORIZED And _ nError <> SAI_PK_E_UNEXPECTED) Then nError = SAI_PK_E_UNAUTHORIZED End If Response.Clear Session.Abandon %>
<% If (nError = SAI_PK_E_UNEXPECTED) Then %> <% Else ' nError = SAI_PK_E_UNAUTHORIZED %> <% End If %>
<% Response.End End Sub '--------------------------------------------------------------------------- ' ' Sub: SAI_DisplayPageKeyError ' ' Synopsis: Reads the form data from the form created by ' SAI_ReportPageKeyError and displays the error to the user. ' See SAI_ReportPageKeyError for more information on the data ' passed through the form. ' ' Arguments: None. Inputs are read from form variables. ' '--------------------------------------------------------------------------- Sub SAI_DisplayPageKeyError() On Error Resume Next ' ' Read the parameters from the form post. ' Dim strTitle If (1 = Request.Form(SAI_FLD_ERRORTITLE).Count) Then strTitle = Request.Form(SAI_FLD_ERRORTITLE).Item(1) Else strTitle = "" End If Dim strLine1 strLine1 = Request.Form(SAI_FLD_ERRORSTRING1).Item(1) If (0 = Len(strLine1)) Then strLine1 = SAI_STR_E_UNEXPECTED End If Dim strLine2 If (1 = Request.Form(SAI_FLD_ERRORSTRING2).Count) Then strLine2 = Request.Form(SAI_FLD_ERRORSTRING2).Item(1) Else strLine2 = "" End If Dim strLine3 If (1 = Request.Form(SAI_FLD_ERRORSTRING3).Count) Then strLine3 = Request.Form(SAI_FLD_ERRORSTRING3).Item(1) Else strLine3 = "" End If Dim strButtonText If (1 = Request.Form(SAI_FLD_BUTTONTEXT).Count) Then strButtonText = Request.Form(SAI_FLD_BUTTONTEXT).Item(1) Else strButtonText = "" End If ' ' Construct the homepage URL. ' Dim strHomepageURL strHomePageURL = "https://" & SAI_PK_strServerName & ":" & _ Request.ServerVariables("SERVER_PORT") ' ' The following lines are copied from sh_page.asp to avoid circular ' inclusion of that page by including it here. ' Response.Buffer = True Response.ExpiresAbsolute = DateAdd("yyyy", -10, Date) Response.AddHeader "pragma", "no-cache" Response.AddHeader "cache-control", "no-store" ' ' End code copied from sh_page.asp ' %> <%=Server.HTMLEncode(strTitle)%> <% ' ' The following lines are copied from ' SA_EmitAdditionalStyleSheetReferences in sh_page.asp to avoid circular ' inclusion of that page by including it here. ' Dim oRetriever Set oRetriever = Server.CreateObject("Elementmgr.ElementRetriever") Dim oContainer Set oContainer = oRetriever.GetElements(1, "CSS") If (0 = Err.Number) Then Dim oElement For each oElement in oContainer Dim sStyleURL sStyleURL = Trim(oElement.GetProperty("URL")) If (0 = Err.Number) Then If ( Len(sStyleURL) > 0 ) Then %> <% End If End If Next End If ' ' End code copied from sh_page.asp ' %> <% If (0 <> Len(strLine2)) Then %> <% End If If (0 <> Len(strLine3)) Then %> <% End If If (0 <> Len(strButtonText)) Then %> <% End If %>

<%=Server.HTMLEncode(strTitle)%>
 
  <%=Server.HTMLEncode(strLine1)%>
 
  <%=Server.HTMLEncode(strLine2)%>
 
  <%=Server.HTMLEncode(strLine3)%>
  <%=Server.HTMLEncode(strHomePageURL)%>
 
  <% ' ' The following HTML is copied from ' SA_ServeOnClickButton in sh_page.asp to avoid ' circular inclusion of that page by including it ' here. ' %> <% ' ' End code copied from sh_page.asp ' %>
<% Response.End End Sub ' ' Begin normal processing. ' Select Case Request.ServerVariables("REQUEST_METHOD") Case "GET" ' ' Look for a key in the request. If one is found, verify that it is ' correct. ' If (1 = Request.QueryString(SAI_FLD_PAGEKEY).Count) Then ' ' Found a key. Verify it. ' Call SAI_VerifyPageKey(Request.QueryString(SAI_FLD_PAGEKEY).Item(1)) ElseIf (0 <> Request.QueryString.Count) Then Call SAI_ReportPageKeyError(SAI_PK_E_UNAUTHORIZED) End If ' ' If we got here, we either had a valid key or no querystring ' arguments. Either way, allow the request to succeed. ' Case "POST" ' ' Verify that only one key was submitted. ' If (Request.Form(SAI_FLD_PAGEKEY).Count <> 1) Then Call SAI_ReportPageKeyError(SAI_PK_E_UNAUTHORIZED) Else ' ' Verify that they submitted key matches the one stored in the sesion state. ' Call SAI_VerifyPageKey(Request.Form(SAI_FLD_PAGEKEY).Item(1)) End If Case Else ' ' We reject all other types of requests if we receive them. ' Response.End End Select ' ' One last check to catch anything that fell through. ' If (Err.number <> 0) Then Response.End End If %>