Here is a summary of the problem so far. Windows 95/98 treat "...." as "..\.." and "......" as "..\..\..". Personal Web Server does not check for these "aliases" and allows the request. This can be used to access files and directories above the virtual web root. Disabling directory browsing only does what it says, disables directory browsing. If an attcker can guess a path and name of a file, and it is in the same drive as the web server, he can retrieve the file. The problem only affects FrontPage Personal Web Server. This is the version shipped with FrontPage. The version not affected is the Microsoft Personal Web Server. I tought we've seen the last of these Windows file aliases vulnerabilities. Guess I was wrong. Incredible the amount of cruft the Windows file name parser will take. Wonder what other wonderful aliases are waiting to be discovered. -- Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:26 PDT