On Sat, 14 Aug 1999, x-empt [ lvhc / lou ] wrote: > - -- B A C K G R O U N D -- > > While testing IIS security, I was able to locate an old flaw which is > still present in many server services on Win32. The problem deals > with a compatibility issue with the old Win16/DOS file naming system > known as the 8.3 naming system. > > Files using the 8.3 naming system consist of 8 characters followed by > a period (.) and a 3 character extension, thus giving a name of "8.3" This particular issue should be avoidable by using NTFS and disabling the backwards-compatible 8.3 naming. [...] > - -- W H A T T O D O -- > Administrators: > You have 5 choices: > 1) Run apache. A proven web server. :) That does not magically avoid all problems with filename variance. The problems are not due to the products, but due to the very un-Unixlike concept of having lots of magic going on in the various filename to file routines. > 2) Wait for vendor patches > 3) Dial 911 and tell them somebody is breaking into your site > 4) unplug your computer and lock it in a sealed room > 5) Don't run windows as long as it maintains 8.3 support You can get rid of the 8.3 support, but that still doesn't fix your problems. There are a significant number of other ways to get filename variance. Obviously, the root of the issue is that one file is accessible via multiple names in non-obvious ways. > > Developers: > Write two functions: getLongName() and getShortName() > ... you figure the rest out, its not too hard. API works... I would not say that "its not too hard". There are various things you can do to try to form a canonical name that should get rid of the vast majority of the issues, but that doesn't mean you have them all. There are so many kludges to do magic things with filenames and they are often so obscure (either poorly or completely undocumented) it is difficult to be certain you address them all. The fact that Microsoft, who should have the most information and knowledge about this, has been bitten several times and doesn't (as far as I can see...) have any documentation identifying all of the ways in which you can get filename variance doesn't bode well for a nice easy solution. Apache does have code that tries to convert all filenames to a canonical format to avoid such problems, but who knows if there are things it doesn't cover. [...] > "623 percent better Web server price/performance" isn't Linux/Apache > Free? The software is free, using it isn't. I personally think that a lot of free software has some very compelling cost of ownership advantages, but this isn't the place...
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:32 PDT