Re: data stream bug still alive?

[3APA3A <3APA3A () SECURITY NNOV RU>]

Hello NDR113,

If  you  have  PHP pages handled by ISAPI filter it may be a
problem  oh  ISAPI  filter which comes with PHP 4. Check php
logs    -    if    PHP    is    called    on    request   to
http://www.server.com/file.php::$DATA  -  it's  PHP specific
problem.

--Saturday, October 27, 2001, 2:00:52 AM, you wrote to vuln-dev () securityfocus com:

N> Data Stream Bug may still work (on a unsual configuration)
N> [===================================]

N> + Past Problem
N> The Windows NT file system, NTFS, support multiple data streams within a
N> file, been DATA the main content stream.
N> Was reported on July 8, 1998 by Paul Ashton on this mailing list the
N> posibility of get remotely by IIS the source code of files like an ASP
N> script. This was done by requesting the file and ::$DATA. Microsoft relase a
N> fix, and the problem was solve on the subsequent Service Packs for Windows
N> NT.

N> + Present Problem
N> Yet, this problem -it seems to us- that on some unusual configuration as a
N> Windows NT box, with IIS and PHP scripting, persist. In our tests on two
N> separete Windows NT boxes, with IIS 4, PHP4, the fix available for the bug
N> and the latest SP6a, is still possible to obtain the source of PHP files.
N> eg. http://www.server.com/file.php::$DATA

N> + Implications
N> Besides the obvious vulnerability, this show that the fix given by Microsoft
N> far from solving the real problem, it just did the the "workarounds" on the
N> registry on how to manage specific extensions (.asp, .pl, and so on)
N> excluding .php.

N> + Final
N> Anyone how can confirm or refute this please post it.


N> + More Informtion
N> ":$DATA Stream Name of a File May Return Source"
N> http://support.microsoft.com/support/kb/articles/Q188/8/06.ASP

N> "HOW TO: Use NTFS Alternate Data Streams"
N> http://support.microsoft.com/support/kb/articles/Q105/7/63.ASP


N> Roberto Alamos M.    (theye () 350cc com)
N> Carlos Gaona U.    (ndr113 () 350cc com)
N> www.350cc.com



-- 
~/ZARAZA
Êîãäà ïòè÷êà ïîãèáàåò îò îáæîðñòâà, åå íàíèçûâàþò íà âåðòåë.  (Ëåì)