Bugtraq mailing list archives

Re: Personal web server

From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Wed, 20 Jan 1999 16:59:48 -0800


Here is a summary of the problem so far. Windows 95/98 treat "...." as
"..\.." and "......" as "..\..\..". Personal Web Server does not check
for these "aliases" and allows the request. This can be used to
access files and directories above the virtual web root. Disabling
directory browsing only does what it says, disables directory browsing.
If an attcker can guess a path and name of a file, and it is in the same
drive as the web server, he can retrieve the file.

The problem only affects FrontPage Personal Web Server. This is the
version shipped with FrontPage. The version not affected is the
Microsoft Personal Web Server.

I tought we've seen the last of these Windows file aliases vulnerabilities.
Guess I was wrong. Incredible the amount of cruft the Windows file name
parser will take. Wonder what other wonderful aliases are waiting to be
discovered.

--
Aleph One / aleph1 () underground org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Current thread:

Re: Personal web server kiborg (Jan 18)
- <Possible follow-ups>
- Re: Personal web server Sean Coates (Jan 18)
- Re: Personal web server Aleph One (Jan 19)
  - Bug in IIS and PWS but only for Windows 9x. Re: Personal web Victor Lavrenko (Jan 20)
    - Re: Bug in IIS and PWS but only for Windows 9x. Re: Personal web Marc Slemko (Jan 20)
- Re: Personal web server Michael Howard (Jan 19)
- Re: Personal Web Server Fredrick Moore (Jan 19)
- Re: Personal web server Sean Coates (Jan 19)
- Re: Personal web server Aleph One (Jan 20)
- Re: Personal web server Aleph One (Jan 20)
- Re: Personal web server Steven M. Bellovin (Jan 20)
- Re: Personal web server Aleph One (Jan 21)
- Re: Personal Web Server Ian O'Friel (Jan 22)
- Re: Personal Web Server Eric Stevens (Jan 24)
- Re: Personal Web Server Tris (Jan 24)