Re: Unusal response from IIS with some file names

[Rob Wilson <r.wilson () BUSINESSHEALTH CO UK>]

on iis 4
.... It is not just endings
try
www.server.co.uk/aaaa:~1aaaaaa

this gives a 500

you can keep adding characters and eventually (i've not counted when) it
turns back into a 404

Rob

-----Original Message-----
From: Kevin van Haaren [mailto:kevinv () HOCKEY NET]
Sent: Wednesday, March 14, 2001 12:22
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Unusal response from IIS with some file names


At 18:43 +0100 3/12/2001, Woch, Wojciech wrote:
> Hello,
>
> IIS v4.0 seems to give an usual response when non-existing files ending
with
> one of the following sequences of characters are requested:
>
> :~n
> |~n
> ~n:
> ~n|
>
> where "n" stands for a number between 0-9 (ex: GET /file:~1). Instead of
the
> regular 404, we get
>
>       HTTP/1.1 500 Server Error
>       Server: Microsoft-IIS/4.0
>       Date: Mon, 12 Mar 2001 17:08:27 GMT
>       Content-Type: text/html
>       Content-Length: 126
>
>       <html><head><title>Error</title></head><body>The filename,
>       directory name, or volume label syntax is incorrect.
>       </body></html>

This may be related to NT's 8.3 short naming for DOS/Win 3.x
compatibility.  From Microsoft:

Under Windows NT 3.1 NTFS, longfile names are converted to 8.3 names
to support DOS based clients. This conversion simply takes the first
6 characters of the long name, and uses a "~n" suffix (where "n" is
number) to keep the name unique if needed. When the tenth filename is
converted and the suffix exceeds 2 characters, only 5 characters of
the name are used to accommodate the three characters in the suffix
and so on as needed.

It could be that IIS is getting an error other than "file not found"
error because NT gives a different response for filenames in what it
things are 8.3 format.

Not sure if disabling the 8.3 name creation will fix this but here's how:
http://support.microsoft.com/support/kb/articles/Q121/0/07.asp