[12241] in bugtraq
The old "." problem
daemon@ATHENA.MIT.EDU (nblasgen@NICK.REFRACT.COM)
Wed Oct 13 21:58:59 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9910131527470.23529-100000@nick.refract.com>
Date: Wed, 13 Oct 1999 15:31:02 -0700
Reply-To: nblasgen@NICK.REFRACT.COM
From: nblasgen@NICK.REFRACT.COM
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3802E898.47D1A7F3@enternet.se>
A while back there was the problem of Windows HTTP servers with CGI and
other sever parsed pages (ASF, SMX, etc) if you added a "." to the end it
would give you the raw code in TEXT format. I understand how that was a
security problem.
Just noticed that the same problem is true for at least one Windows FTP
server, Serv-U. I can't find a problem with being able to request files
with a extra "." at the end. I was unable to test the idea of downloading
files that I had no permissions too.
Nicholas Blasgen
Refract, LLC
