[22279] in bugtraq
Re: MS-DOS Filename/Directory Vulnerability
daemon@ATHENA.MIT.EDU (Seth Arnold)
Thu Aug 16 21:51:58 2001
Date: Thu, 16 Aug 2001 16:32:00 -0700
From: Seth Arnold <sarnold@wirex.com>
To: bugtraq@securityfocus.com
Message-ID: <20010816163200.U30929@wirex.com>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <005401c126c1$b0e92ea0$b139f4c8@pp>; from fmoniz@ig.com.br on Thu, Aug 16, 2001 at 07:08:16PM -0700
On Thu, Aug 16, 2001 at 07:08:16PM -0700, Felipe Moniz wrote:
> I tested this in the PWS (based on IIS 4) and it worked.
>
> I created a file called "clientlist2001.txt" and with client~1.txt
> (www.site.com/client~1.txt) I get the clientlist2001.txt without know the
> complete name of the file. The problem occurs also when I type
> "postin~1.htm" for access "postinfo.html" file.
This is a known problem. There is a switch that can be thrown somewhere
(possibly only in the registry, but I thought I have seen a checkbox for
this somewhere...) that does not generate the MSDOS names on NTFS
partitions.
Microsoft has written a guide to securing WinNT; I bet they have updated
it for Win2k as well. They detail how to turn off the MSDOS filename
support in that document.
Cheers!
