[22281] in bugtraq
RE: MS-DOS Filename/Directory Vulnerability
daemon@ATHENA.MIT.EDU (Troy Murray)
Thu Aug 16 22:50:42 2001
From: "Troy Murray" <murrayt5@msu.edu>
To: <bugtraq@securityfocus.com>
Date: Thu, 16 Aug 2001 22:07:19 -0400
Message-ID: <00ea01c126c1$593120a0$0100a8c0@tmurray>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <20010816163200.U30929@wirex.com>
Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: \CurrentControlSet\Control\FileSystem
Name: NtfsDisable8dot3NameCreation
Type: REG_DWORD
Value: 1 (turns off 8.3 name generation, only 16 bit need).
===========================================
Troy D. Murray
Microcomputer Hardware/Software Coordinator
Michigan State University
College of Human Medicine
Department of Medicine
Immunohematology & Serology Lab
B228 Life Science
East Lansing, MI 48824-1034
(P) 517-432-3545
(F) 517-353-5436
(E) murrayt5@msu.edu
-----Original Message-----
From: Seth Arnold [mailto:sarnold@wirex.com]
Sent: Thursday, August 16, 2001 7:32 PM
To: bugtraq@securityfocus.com
Subject: Re: MS-DOS Filename/Directory Vulnerability
On Thu, Aug 16, 2001 at 07:08:16PM -0700, Felipe Moniz wrote:
> I tested this in the PWS (based on IIS 4) and it worked.
>
> I created a file called "clientlist2001.txt" and with client~1.txt
> (www.site.com/client~1.txt) I get the clientlist2001.txt without know
> the complete name of the file. The problem occurs also when I type
> "postin~1.htm" for access "postinfo.html" file.
This is a known problem. There is a switch that can be thrown somewhere
(possibly only in the registry, but I thought I have seen a checkbox for
this somewhere...) that does not generate the MSDOS names on NTFS
partitions.
Microsoft has written a guide to securing WinNT; I bet they have updated
it for Win2k as well. They detail how to turn off the MSDOS filename
support in that document.
Cheers!
