Bugtraq mailing list archives
Q179148: Settings May Not Be Applied with URL with Short Filename
From: aleph1 () DFW DFW NET (Aleph One)
Date: Fri, 23 Jan 1998 22:16:40 -0600
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/sfn-fix/ Settings May Not Be Applied with URL with Short Filename --------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server version 4.0 - Microsoft Personal Web Server version 4.0 --------------------------------------------------------------------------- SYMPTOMS ======== Microsoft has been made aware of an issue in Internet Information Server (IIS) 4.0 and Personal Web Server (PWS) 4.0 in which certain configuration settings may not be applied when a URL with short file name equivalents is requested. These configuration setting include restricting access by IP address, PICS ratings, and requiring SSL encryption. Windows NT file permissions (ACLs) are not affected. Users are able to access certain directories or files through IIS 4.0 or PWS 4.0 and bypass specific security settings such as SSL encryption. CAUSE ===== The Windows NT and Windows 95 file systems (FAT, FAT32, and NTFS) support file names of up to 255 characters. To maintain compatibility with older, non 32-bit applications, a short file name (called the 8.3 file name) is created for each file. This short file name equivalent is used by older applications to access directories and files with long names. IIS 4.0 and PWS 4.0 maintain certain configuration information about directories and files in a database called the metabase. The metabase does not contain file permissions, but rather Web server-specific information such as requiring SSL encryption, proxy cache setting, and PICS ratings. Actual file and directory permissions are enforced by NTFS and are not affected by this problem. In certain cases when a URL is requested using the short file name, it is possible that configuration properties specified in the metabase may not be applied as expected. This issue only occurs where long file names are used for directories or files, and specific metabase configuration properties are set on those directories or files. File permissions by a user or group using NTFS access control lists (ACL) are not affected. STATUS ====== Microsoft has confirmed this to be a problem in Internet Information Server version 4.0. A supported fix is now available, but has not been fully regression- tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.
Current thread:
- Re: GCC 2.7.? /tmp files, (continued)
- Re: GCC 2.7.? /tmp files dichro-bugtraq () RCPT TO (Jan 17)
- Re: GCC 2.7.? /tmp files Zack Weinberg (Jan 18)
- Re: GCC 2.7.? /tmp files John Gotts (Jan 19)
- CERT Vendor-Initiated Bulletin VB-98.01 - excite Aleph One (Jan 19)
- GCC 2.7.? /tmp files Micha? Zalewski (Jan 15)
- Re: GCC 2.7.? /tmp files Niels Bakker (Jan 16)
- pnserver exploit.. Aleph One (Jan 15)
- Re: pnserver exploit.. Angelos Karageorgiou (Jan 16)
- Re: pnserver exploit.. Donald van de Weyer (Jan 21)
- (AUSCERT ESB-98.009) CERT Advisory CA-98.02 - Vulnerabilities in Grant Beattie (Jan 21)
- Q179148: Settings May Not Be Applied with URL with Short Filename Aleph One (Jan 23)
- CDE: dtappgather on AIX Marcin Cieslak (Jan 25)
- Simple OpenBSD crash script Jason Downs (Jan 25)
- Re: Simple OpenBSD crash script GvS One (Jan 28)
- Quake 2 Linux kevingeo () CRUZIO COM (Jan 25)
- Re: Quake 2 Linux Greg Alexander (Jan 27)
- Announcement: Phrack 52 route () RESENTMENT INFONEXUS COM (Jan 26)
- Microsoft responds to bug in Exchange Server Tony Hagale (Jan 27)
- Re: Announcement: Phrack 52 Olaf Kirch (Jan 28)
- KSR[T] Advisory #7: filter KSR[T] (Jan 29)
- Bug in IMail's pop3d32.exe RHS Linux User (Jan 29)