[22276] in bugtraq
MS-DOS Filename/Directory Vulnerability
daemon@ATHENA.MIT.EDU (Felipe Moniz)
Thu Aug 16 19:23:53 2001
Message-ID: <005401c126c1$b0e92ea0$b139f4c8@pp>
From: "Felipe Moniz" <fmoniz@ig.com.br>
To: <bugtraq@securityfocus.com>
Date: Thu, 16 Aug 2001 19:08:16 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 8bit
Hi all,
I tested this in the PWS (based on IIS 4) and it worked.
I created a file called "clientlist2001.txt" and with client~1.txt
(www.site.com/client~1.txt) I get the clientlist2001.txt without know the
complete name of the file. The problem occurs also when I type
"postin~1.htm" for access "postinfo.html" file.
I think that it's simple but can open a range of new types of cgi attacks,
depending of the web server. And can be used to change attack
signatures and evade intrusion detection.
PWS is vulnerable, IIS 4.0 and Sambar Server apparently no, but certainly
other win32 web servers are vulnerable. All long filenames, directories and
files with long extensions are vulnerable.
This can be considered a simple data exposure? I think that yes. This access
type can be dangerous, like some directory listening bugs or path
disclosure.
Sorry for my english,
Regards,
Felipe Moniz
Network Security Specialist
felipemoniz@yahoo.com
Especialista em Segurança de Redes
Rio de Janeiro, RJ - Brasil
Know about Brazil:
http://www.hideaway.net/stealth/brasil.shtml
