|
|
Multiple Vendor 8.3 Filename Vulnerability
32bit Windows operating systems support long filenames, but also offer a means of compatibility with the older 8.3 filenames required by previous versions of DOS and Windows. This leads to problems with programs that have their own internal file security mechanisms. In the Netscape, vqServer and Xitami webservers, restrictions applied to directories with long filenames will be ignored if the 8.3 version of the filename is requested. For example, if directory listing is enabled for c:\webroot\ and disabled for c:\webroot\longsubdir\ , a GET request for h t t p://server/longsubdir/ will fail, as expected. However, a GET request for h t t p://server/longsu~1/ will succeed. In Serv-U, the 'cwd' and 'site exec' commands are susceptible to a similar vulnerability. If the execute permission is enabled for c:\ftproot\ and disabled for c:\ftproot\longsubdir\, and an executable is placed in C:\ftproot\longsubdir\, the command 'site exec C:\ftproot\longsubdir\example.exe' will fail, but 'site exec C:\ftproot\longsu~1\example.exe will work and the executable will be running. As this is a problem with the maintenance of two different filesystem conventions in Windows32, the Windows 3.1 and non-Windows versions of these packages are not affected. Other Windows32-based HTTP and FTP servers may have the same or similar vulnerabilities. If you are aware of any not listed here, please email us at: vuldb@securityfocus.com |
|
Privacy Statement |