On Wed, 20 Jan 1999, Victor Lavrenko wrote: > >>>>> "Aleph" == Aleph One <aleph1at_private> writes: > > Hello everybody. > > This bug exists because Windows 9x has a nice feature. When you > excecute "cd .." it goes to the parent directory, and "cd ..." goes to > the parent directory of parent directory etc. Windows NT has no such > feature so it isn't exploitable. Yup. I haven't looked into the issue with these particular servers, but Apache on Win32 used to be impacted by this same issue until it was fixed in 1.3.1. I think we have run into a half dozen different special case situations in Apache where "magic" filenames needed to be dealt with specially under 95 and/or NT to avoid security holes. You have to deal with: - case sensitivity - short filenames - trailing "."s on filenames - three or more "."s - special filenames (eg. "aux") Those are all the "multiple names for one file" or "magic file name" issues I can think of right now; I am sure there are more that I can't think of and that I don't know about. At various times, various Win32 web servers have been vulnerable to the above issues. Unfortunately, trying to find a canonical list of the ways that filename variance can occur in Windows is difficult, and it is obvious that Microsoft doesn't have it down either, based on the fact that many of these bugs have appeared in IIS in the past as well. These issues also can appear differently depending on if you are using 95/98/NT3.5/NT4 and depending on what filesystem you are using, so testing for them isn't as simple as you would hope. It really makes me wish for a nice young system, one that didn't have time to get all this accumulated cruft. Oh. Wait. Unix is a crufty old system and even it doesn't have this particular cruft. In this particular area, Windows gets a heck of a lot of thumbs down.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:26 PDT