Bugtraq mailing list archives
Re: Personal web server
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Wed, 20 Jan 1999 16:59:48 -0800
Here is a summary of the problem so far. Windows 95/98 treat "...." as "..\.." and "......" as "..\..\..". Personal Web Server does not check for these "aliases" and allows the request. This can be used to access files and directories above the virtual web root. Disabling directory browsing only does what it says, disables directory browsing. If an attcker can guess a path and name of a file, and it is in the same drive as the web server, he can retrieve the file. The problem only affects FrontPage Personal Web Server. This is the version shipped with FrontPage. The version not affected is the Microsoft Personal Web Server. I tought we've seen the last of these Windows file aliases vulnerabilities. Guess I was wrong. Incredible the amount of cruft the Windows file name parser will take. Wonder what other wonderful aliases are waiting to be discovered. -- Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: Personal web server kiborg (Jan 18)
- <Possible follow-ups>
- Re: Personal web server Sean Coates (Jan 18)
- Re: Personal web server Aleph One (Jan 19)
- Bug in IIS and PWS but only for Windows 9x. Re: Personal web Victor Lavrenko (Jan 20)
- Re: Bug in IIS and PWS but only for Windows 9x. Re: Personal web Marc Slemko (Jan 20)
- Bug in IIS and PWS but only for Windows 9x. Re: Personal web Victor Lavrenko (Jan 20)
- Re: Personal web server Michael Howard (Jan 19)
- Re: Personal Web Server Fredrick Moore (Jan 19)
- Re: Personal web server Sean Coates (Jan 19)
- Re: Personal web server Aleph One (Jan 20)
- Re: Personal web server Aleph One (Jan 20)
- Re: Personal web server Steven M. Bellovin (Jan 20)
- Re: Personal web server Aleph One (Jan 21)
- Re: Personal Web Server Ian O'Friel (Jan 22)
- Re: Personal Web Server Eric Stevens (Jan 24)
- Re: Personal Web Server Tris (Jan 24)