At 06:32 PM 8/16/2001, Seth Arnold wrote: >On Thu, Aug 16, 2001 at 07:08:16PM -0700, Felipe Moniz wrote: > > I tested this in the PWS (based on IIS 4) and it worked. > > > > I created a file called "clientlist2001.txt" and with client~1.txt > > (www.site.com/client~1.txt) I get the clientlist2001.txt without know the > > complete name of the file. The problem occurs also when I type > > "postin~1.htm" for access "postinfo.html" file. > >This is a known problem. There is a switch that can be thrown somewhere >(possibly only in the registry, but I thought I have seen a checkbox for >this somewhere...) that does not generate the MSDOS names on NTFS >partitions. > >Microsoft has written a guide to securing WinNT; I bet they have updated >it for Win2k as well. They detail how to turn off the MSDOS filename >support in that document. As a general point, this is one place where numerous attacks have succeeded in the past, especially with programs that apply their own security onto the base Windows model. The example given by Felipe only works because he has access to the document in question - but this isn't always the case. A couple of frequently occurring vulnerabilities that have been found and fixed in various products, but might still occur in others: A file protected as "long file name", but accessed as "longfi~1" eludes the protections that were supposed to be assigned to it. A file originally created on NTFS and then moved to FAT (or vice-versa) will often have a _different_ short file name on the new volume than it did on the old. Sometimes, even moving files (or more specifically, copying, whether followed by deletion of the original or not) from one location to another in the same file system will change the short file name. If protection of any sort is assigned on the short path name, there are several possibilities that might cause failure of security (imagine, for instance, if your home directories are created as "home for eric", "home for fred", etc, then a move to a new system, or perhaps even a restore from a not-too-cleverly-written backup (e.g. "just copy from another drive") could swap the two homes around, in terms of access by their short path name. Win32 platforms have long had an API call to turn a long path into a short path (GetShortPathName), but only relatively recently has their been an API call to do the reverse. To users that are concerned about removing short path name functionality using the switch that Seth mentions, it's worth noting that Windows 2000 and XP, at least, have command-line completion capabilities that can be used in place of trying to remember which tilde-number combination to use. Running "CMD /?" in a command-prompt window will tell you how to enable the completion keys, and how to set them - either by a switch in a call to CMD, or by a registry setting. Alun. ~~~~ P.S. Needless to say, we think we've been pretty careful about this for some time, but there's always room for error - please let us know about any vulnerabilities you find. -- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alunat_private Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.
This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 09:07:38 PDT