Re: Bug in IIS and PWS but only for Windows 9x. Re: Personal web

[marcs () ZNEP COM (Marc Slemko)]

On Wed, 20 Jan 1999, Victor Lavrenko wrote:

> > > > > > "Aleph" == Aleph One <aleph1 () UNDERGROUND ORG> writes:
>
> Hello everybody.
>
> This bug exists because Windows 9x has a nice feature. When you
> excecute "cd .." it goes to the parent directory, and "cd ..." goes to
> the parent directory of parent directory etc. Windows NT has no such
> feature so it isn't exploitable.

Yup.  I haven't looked into the issue with these particular servers,
but Apache on Win32 used to be impacted by this same issue until it
was fixed in 1.3.1.

I think we have run into a half dozen different special case situations in
Apache where "magic" filenames needed to be dealt with specially under 95
and/or NT to avoid security holes.

You have to deal with:

        - case sensitivity
        - short filenames
        - trailing "."s on filenames
        - three or more "."s
        - special filenames (eg. "aux")

Those are all the "multiple names for one file" or "magic file name"
issues I can think of right now; I am sure there are more that I can't
think of and that I don't know about.  At various times, various Win32 web
servers have been vulnerable to the above issues.  Unfortunately, trying
to find a canonical list of the ways that filename variance can occur in
Windows is difficult, and it is obvious that Microsoft doesn't have it
down either, based on the fact that many of these bugs have appeared in
IIS in the past as well.

These issues also can appear differently depending on if you are using
95/98/NT3.5/NT4 and depending on what filesystem you are using, so testing
for them isn't as simple as you would hope.

It really makes me wish for a nice young system, one that didn't have time
to get all this accumulated cruft.  Oh.  Wait.  Unix is a crufty old
system and even it doesn't have this particular cruft.  In this particular
area, Windows gets a heck of a lot of thumbs down.