home | archive | books | download | about us | contact us

  Main Sections

Home
Archive
Books
Download
About Us
Contact Us
  Download

Antivirus Software
Antivirus Updates
Firewall Software
Security Tools
  Microsoft Warnings

MS04-028 : Buffer Overrun in JPEG Processing (GDI+)
MS04-027 : Vulnerability in WordPerfect Converter
MS04-026 : Vulnerability in Exchange Server 5.5 Outlook Web Access
MS04-025 : Cumulative Security Update for IE
MS04-024 : Vulnerability in Windows Shell
MS04-023 : Vulnerability in HTML Help
MS04-022 : Vulnerability in Task Scheduler
MS04-021 : Security Update for IIS 4
MS04-020 : Vulnerability in POSIX
MS04-019 : Vulnerability in Utility Manager
  Sun Warnings

#220 Double Free bug in zlib compression library
#219 SEA SNMP
#218 Bytecode Verifier
#217 Java Web Start
#216 HttpURLConnection
#215 snmpdx
#214 dtspcd
#213 login
#212 rpc.ttdbserverd
#211 xntpd

IIS unauthorized access - long file names 11 feb 1998

An exploitation involving long file names on Microsoft Windows-based web servers has recently been described on public mailing lists. When files on the web server have names longer than 8.3 (8 characters plus a 3-character extension), users can gain unauthorized access to files protected solely by the web server.

All 32-bit Microsoft Windows operating systems (commonly known as Win32) can associate two different file names with a stored file, a short name and a long name. The short version, known as 8.3-compliant, is restricted to a length of 8 characters and an extension of 3 characters. This version is required for backward compatibility with DOS. The long version of the file name is not restricted to the 8.3-compliant format but is restricted to a total length of 255 characters.

When Win32 stores a file with a short name (i.e., 8.3-compliant), it associates only that short file name with the file. However, when Win32 stores a file with a long name (i.e., greater than 8 characters), it associates two versions of the file name with the file--the original, long file name and an 8.3-compliant short file name that is derived from the long name in a predictable manner.

Some Win32-based web servers have not compensated for the two file name versions when restricting access to files that have long names. The web servers attempt to restrict access by building an internal list of restricted file names. However, for files with long names, only the long, and not the short, file name is added to this internal list. This leaves the file unprotected by the web server because the file is still accessible via the short file name.

Users are able to gain unauthorized access to files protected solely by the web server.

Obtain and install a patch for this problem

Microsoft IIS 4.0 and PWS 4.0 with the appropriate patch are not vulnerable.

IIS 4.0 and PWS 4.0 maintain certain configuration information about directories and files in a database called the metabase. The metabase does not contain file permissions, but rather Web server-specific information such as requiring SSL encryption, proxy cache setting, and PICS ratings. Actual file and directory permissions are enforced by NTFS and are not affected by this problem.

Earlier version of IIS and PWS are not vulnerable to this issue.

None of the beta releases of Apache for Win32 are vulnerable to this particular problem.

If you want to find out more, you may want to check out these sites:

Microsoft Security Advisor Website

CERT publications

Source: cert.org


Amazon
© 1997-2012 Security-Solutions.net   All Rights Reserved.  Privacy Statement.