An exploitation involving long file names on Microsoft Windows-based web
servers has recently been described on public mailing lists. When files on the
web server have names longer than 8.3 (8 characters plus a 3-character
extension), users can gain unauthorized access to files protected solely
by the web server.
All 32-bit Microsoft Windows operating systems (commonly known as Win32)
can associate two different file names with a stored file, a short name
and a long name. The short version, known as 8.3-compliant, is restricted
to a length of 8 characters and an extension of 3 characters. This
version is required for backward compatibility with DOS. The long version
of the file name is not restricted to the 8.3-compliant format but is
restricted to a total length of 255 characters.
When Win32 stores a file with a short name (i.e., 8.3-compliant), it
associates only that short file name with the file. However, when Win32
stores a file with a long name (i.e., greater than 8 characters), it
associates two versions of the file name with the file--the original, long
file name and an 8.3-compliant short file name that is derived from
the long name in a predictable manner.
Some Win32-based web servers have not compensated for the two file name
versions when restricting access to files that have long names. The web
servers attempt to restrict access by building an internal list of
restricted file names. However, for files with long names, only the
long, and not the short, file name is added to this internal list. This
leaves the file unprotected by the web server because the file is still
accessible via the short file name.
Users are able to gain unauthorized access to files protected solely by
the web server.
Obtain and install a patch for this problem
Microsoft IIS 4.0 and PWS 4.0 with the appropriate patch are not
IIS 4.0 and PWS 4.0 maintain certain configuration information about
directories and files in a database called the metabase. The metabase does
not contain file permissions, but rather Web server-specific information
such as requiring SSL encryption, proxy cache setting, and PICS ratings.
Actual file and directory permissions are enforced by NTFS and are not
affected by this problem.
Earlier version of IIS and PWS are not vulnerable to this issue.
None of the beta releases of Apache for Win32 are vulnerable to this
If you want to find out more, you may want to check out these sites:
Microsoft Security Advisor Website