|
|
NT Webserver Long File Name Access Protection Vulnerability
All 32-bit Microsoft Windows operating systems (commonly known as Win32) can associate two different file names with a stored file, a short name and a long name. The short version, known as 8.3-compliant, is restricted to a length of 8 characters and an extension of 3 characters. This version is required for backward compatibility with DOS. The long version of the file name is not restricted to the 8.3-compliant format but is restricted to a total length of 255 characters. When Win32 stores a file with a short name (i.e., 8.3-compliant), it associates only that short file name with the file. However, when Win32 stores a file with a long name (i.e., greater than 8 characters), it associates two versions of the file name with the file--the original, long file name and an 8.3-compliant short file name that is derived from the long name in a predictable manner. Example: The 8.3-compliant short file name "Abcdefgh.xyz" is represented 1.as is: "Abcdefgh.xyz". However, the long file name "Abcdefghijk.xyz" is represented: 1.as is: "Abcdefghijk.xyz" and 2.as 8.3-compliant: "Abcdef~1.xyz". Some Win32-based web servers have not compensated for the two file name versions when restricting access to files that have long names. The web servers attempt to restrict access by building an internal list of restricted file names. However, for files with long names, only the long, and not the short, file name is added to this internal list. This leaves the file unprotected by the web server because the file is still accessible via the short file name. For example, "Abcdefgh.xyz" (short) would be protected by the web server, but "Abcdefghijk.xyz" (long) would not be completely protected by the web server. |
|
Privacy Statement |