|
|
Microsoft IIS And PWS 8.3 Directory Name Vulnerability
Solution: Various solutions exist: In tests on NT based systems, applying SP4 or SP5 has fixed this issue. Be sure to re-apply the appropriate service pack after installing other software, as some systems that have had these applied have been shown to be vulnerable again later. If possible, use NTFS security to limit access. If only 8.3 file and directory naming is used in the web space, this vulnerability will not occur. Alternatively, for NTFS filesystems, you can disable 8.3 filenames entirely. Quoted from a Bugtraq post by David LeBlanc: If you open the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem and create a value named NtfsDisable8dot3NameCreation, type REG_DWORD, and set it to 1, then the operating system will not create 8.3 filenames (I think you'd have to reboot for it to take effect). Note that this isn't retroactive, so you'd need to move any trees you want updated, and then move them back. This is something that should be on anyone's checklist when setting up a web or FTP server prior to putting content on that server. BTW, setting this value also gets you a modest improvement in file system performance. It will also break 16-bit apps, but hopefully you're not running any antique applications on your server. As always, test this sort of change thoroughly before putting it into production. |
|
Privacy Statement |