MS-DOS Filename/Directory Vulnerability

["Felipe Moniz" <fmoniz () ig com br>]

Hi all,

I tested this in the PWS (based on IIS 4) and it worked.

I created a file called "clientlist2001.txt" and with client~1.txt
(www.site.com/client~1.txt) I get the clientlist2001.txt without know the
complete name of the file. The problem occurs also when I type
"postin~1.htm" for access "postinfo.html" file.

I think that it's simple but can open a range of new types of cgi attacks,
depending of the web server. And can be used to change attack
signatures and evade intrusion detection.

PWS is vulnerable, IIS 4.0 and Sambar Server apparently no, but certainly
other win32 web servers are vulnerable. All long filenames, directories and
files with long extensions are vulnerable.

This can be considered a simple data exposure? I think that yes. This access
type can be dangerous, like some directory listening bugs or path
disclosure.

Sorry for my english,

Regards,

Felipe Moniz
Network Security Specialist
felipemoniz () yahoo com
Especialista em Segurança de Redes
Rio de Janeiro, RJ - Brasil

Know about Brazil:
http://www.hideaway.net/stealth/brasil.shtml