[9139] in bugtraq
Re: Personal web server
daemon@ATHENA.MIT.EDU (Aleph One)
Wed Jan 20 19:27:27 1999
Date: Wed, 20 Jan 1999 16:59:48 -0800
Reply-To: Aleph One <aleph1@UNDERGROUND.ORG>
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@NETSPACE.ORG
Here is a summary of the problem so far. Windows 95/98 treat "...." as
"..\.." and "......" as "..\..\..". Personal Web Server does not check
for these "aliases" and allows the request. This can be used to
access files and directories above the virtual web root. Disabling
directory browsing only does what it says, disables directory browsing.
If an attcker can guess a path and name of a file, and it is in the same
drive as the web server, he can retrieve the file.
The problem only affects FrontPage Personal Web Server. This is the
version shipped with FrontPage. The version not affected is the
Microsoft Personal Web Server.
I tought we've seen the last of these Windows file aliases vulnerabilities.
Guess I was wrong. Incredible the amount of cruft the Windows file name
parser will take. Wonder what other wonderful aliases are waiting to be
discovered.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
