Bugtraq mailing list archives
Re: Personal web server
From: smb () RESEARCH ATT COM (Steven M. Bellovin)
Date: Wed, 20 Jan 1999 23:20:16 -0800
In message <19990120165948.A14518 () underground org>, Aleph One writes:
I tought we've seen the last of these Windows file aliases vulnerabilities. Guess I was wrong. Incredible the amount of cruft the Windows file name parser will take. Wonder what other wonderful aliases are waiting to be discovered.
I'm sure there are others; determing access permissions by application-level parsing of file names is a fundamentally flawed notion. I've watched it fail for at least 20 years, in systems at least as old as uucp through today's Web servers. And it's not just Windows, though the complexity of its syntax compared to that of Unix makes life much tougher. And think of all of the opportunities for race conditions with this sort of parsing, especially with complex types.
Current thread:
- Re: Personal web server kiborg (Jan 18)
- <Possible follow-ups>
- Re: Personal web server Sean Coates (Jan 18)
- Re: Personal web server Aleph One (Jan 19)
- Bug in IIS and PWS but only for Windows 9x. Re: Personal web Victor Lavrenko (Jan 20)
- Re: Bug in IIS and PWS but only for Windows 9x. Re: Personal web Marc Slemko (Jan 20)
- Bug in IIS and PWS but only for Windows 9x. Re: Personal web Victor Lavrenko (Jan 20)
- Re: Personal web server Michael Howard (Jan 19)
- Re: Personal Web Server Fredrick Moore (Jan 19)
- Re: Personal web server Sean Coates (Jan 19)
- Re: Personal web server Aleph One (Jan 20)
- Re: Personal web server Aleph One (Jan 20)
- Re: Personal web server Steven M. Bellovin (Jan 20)
- Re: Personal web server Aleph One (Jan 21)
- Re: Personal Web Server Ian O'Friel (Jan 22)
- Re: Personal Web Server Eric Stevens (Jan 24)
- Re: Personal Web Server Tris (Jan 24)