> -----Original Message----- > From: Martin Werner [mailto:bugtraqat_private] > Sent: Monday, July 16, 2001 3:31 AM > To: BUGTRAQat_private > Subject: AW: Windows MS-DOS Device Name DoS vulnerabilities > > > Just want to give a new thought. > > Fact is, that on the one hand side, its merely impossible to > write an safe > ftp server using Microsofts Filesystem, because device names can cause > trouble (and I think, this is not a bug, but it's been discussed) I beg to differ. First, let's distinguish between file systems. If you say that it wouldn't be advisable to write a FTP server designed to run on FAT file systems, then I'd be inclined to agree. You can, OTOH, do a lot of work to re-implement file system security sufficient for a FTP server and be OK. Now, on to the issue with device names - this isn't all that terribly difficult, and is part of proper file canonicalization practices. A call to CreateFile() on a device name will always succeed (or possibly blow up an unpatched Win9x system, so go get the patch or consider running your FTP server on NT or Win2k). Next, a call to GetFileInformationByHandle() will always fail if it is a device. GetFileType() can also be used to determine whether something is a device. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 14:08:10 PDT