Re: Personal web server

From: Steven M. Bellovin (smbat_private)
Date: Wed Jan 20 1999 - 23:20:16 PST

Next message: Luigi Pugnetti: "Re: NetBSD Security Advisory 1999-001: select(2)/accept(2)"

Previous message: Marco d'Itri: "Re: Can you really trust a path?"
Next in thread: Aleph One: "Re: Personal web server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <19990120165948.A14518at_private>, Aleph One writes:

>
>I tought we've seen the last of these Windows file aliases vulnerabilities.
>Guess I was wrong. Incredible the amount of cruft the Windows file name
>parser will take. Wonder what other wonderful aliases are waiting to be
>discovered.

I'm sure there are others; determing access permissions by application-level
parsing of file names is a fundamentally flawed notion.  I've watched it fail
for at least 20 years, in systems at least as old as uucp through today's
Web servers.  And it's not just Windows, though the complexity of its
syntax compared to that of Unix makes life much tougher.  And think of all
of the opportunities for race conditions with this sort of parsing, especially
with complex types.

Next message: Luigi Pugnetti: "Re: NetBSD Security Advisory 1999-001: select(2)/accept(2)"
Previous message: Marco d'Itri: "Re: Can you really trust a path?"
Next in thread: Aleph One: "Re: Personal web server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:29 PDT