Bugtraq mailing list archives
AW: Windows MS-DOS Device Name DoS vulnerabilities
From: <tux () centrum cz>
Date: Tue, 17 Jul 2001 13:04:45 +0200
And what about trying to use HANDLE FindFirstFile("name_of_the_file_or_device",LPWIN32FINDDATA) This will find the file successfully if it is a file, or return "file not found error" if it is device (since te devices are not listed in directory listing and are "invisible" to FindFirstFile) or the file is not in current directory and cannot be thus served If you just check the filename for wildcards like * and ? you will be safe on even unpatched windows with the con\con BSOD bug, I think ... Martin Petricek ______________________________________________________________
Od: "Martin Werner" <bugtraq () martinwerner de> Komu: <BUGTRAQ () SECURITYFOCUS COM> CC: Datum: Mon, 16 Jul 2001 12:30:59 +0200 PĂedmĽt: AW: Windows MS-DOS Device Name DoS vulnerabilities Just want to give a new thought. Fact is, that on the one hand side, its merely impossible to write an safe ftp server using Microsofts Filesystem, because device names can cause trouble (and I think, this is not a bug, but it's been discussed) So I think, good coding practice is not using a function, you cannot be sure to work (noticed the incompatiblilities between different versions of windows etc.) In such a situation, the only safe thing one can do, is to a) change the whole behaviour of windows causing immense trouble porting applications. or better take it in your own hand. I think, that one has to write a flatfile engine, the faster, the better, that works with ! ! one ! file in the windows filesystem with a name, the coder choses and thinks to be secure. It could be a good open source project, to write a filesystem, that can be put into a binary file on any platform. A great step in compatibility between systems. Keep on testing software! Martin Werner P.S. Feel free to contact me at: www.martinwerner.de martin () martinwerner de
----- Profesionálové světového skateboardingu na http://0g.cz/0107/mystic_sk8_cup
Current thread:
- AW: Windows MS-DOS Device Name DoS vulnerabilities tux (Jul 17)
- Re: AW: Windows MS-DOS Device Name DoS vulnerabilities David F. Skoll (Jul 17)