[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Microsoft Windows-based Web Servers unauthorized access - long file names

Title: Microsoft Windows-based Web Servers unauthorized access - long file names
Released by: CERT
Date: 6th February 1998
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



=============================================================================

CERT* Advisory CA-98.04

Original issue date: Feb. 06, 1998

Last revised:   December 9, 1998

        Added vendor information for Netscape and O'Reilly & Associates, Inc.



        A complete revision history is at the end of this file.





Topic: Microsoft Windows-based Web Servers unauthorized access - long file

       names

- -----------------------------------------------------------------------------



An exploitation involving long file names on Microsoft Windows-based web

servers has recently been described on public mailing lists. When files on the

web server have names longer than 8.3 (8 characters plus a 3-character

extension), users can gain unauthorized access to files protected solely

by the web server.



The CERT/CC team recommends installing patches from your vendor (see Section

III.A and the appendix). Until you are able to do so, we urge you to use the

workaround described in Section III.B.



We will update this advisory as we receive additional information.

Please check our advisory files regularly for updates that relate to your site.



- -----------------------------------------------------------------------------



I.   Description



     All 32-bit Microsoft Windows operating systems (commonly known as Win32)

     can associate two different file names with a stored file, a short name

     and a long name. The short version, known as 8.3-compliant, is restricted

     to a length of 8 characters and an extension of 3 characters. This

     version is required for backward compatibility with DOS. The long version

     of the file name is not restricted to the 8.3-compliant format but is

     restricted to a total length of 255 characters.



     When Win32 stores a file with a short name (i.e., 8.3-compliant), it

     associates only that short file name with the file. However, when Win32

     stores a file with a long name (i.e., greater than 8 characters), it

     associates two versions of the file name with the file--the original, long

     file name and an 8.3-compliant short file name that is derived from

     the long name in a predictable manner.



     Example:



       The 8.3-compliant short file name "Abcdefgh.xyz" is represented

                      (1) as is: "Abcdefgh.xyz".



       However, the long file name "Abcdefghijk.xyz" is represented:

                      (1) as is: "Abcdefghijk.xyz" and

                      (2) as 8.3-compliant: "Abcdef~1.xyz".



       Some Win32-based web servers have not compensated for the two file name

       versions when restricting access to files that have long names. The web

       servers attempt to restrict access by building an internal list of

       restricted file names. However, for files with long names, only the

       long, and not the short, file name is added to this internal list. This

       leaves the file unprotected by the web server because the file is still

       accessible via the short file name.



       For example, "Abcdefgh.xyz" (short) would be protected by the web

       server, but "Abcdefghijk.xyz" (long) would not be completely protected

       by the web server.



II.  Impact



     Users are able to gain unauthorized access to files protected solely by

     the web server.



III. Solution



     CERT/CC urges you to immediately apply vendor patches if they are

     available. Until you are able to do so, we urge you to use

     the workaround described in Section B.



     A. Obtain and install a patch for this problem.



        Appendix A contains input from vendors who have provided information

        for this advisory. We will update the appendix as we receive more

        information. If you do not see your vendor's name, the CERT/CC

        did not hear from that vendor. Please contact your vendor directly.



     B. Until you are able to install the appropriate patch, we recommend the

        following workaround.



        (1) Use only 8.3-compliant short file names for the files that

            you want to have protected solely by the web server. On FAT

            file systems (16-bit) this can be enforced by enabling (setting

            to 1) the "Win31FileSystem" registry key (registry path:

            HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\).



        (2) On NTFS (32-bit), you can disable the creation of the

            8.3-compliant short file name for files with long file names

            by enabling (setting to 1) the "NtfsDisable8dot3NameCreation"

            registry key (registry path: HKEY_LOCAL_MACHINE\System\

            CurrentControlSet\Control\FileSystem\). However, this step may

            cause compatibility problems with 16-bit applications.



        (3) Use NTFS-based ACLs (directory or file level access control

            lists) to augment or replace web server-based security.





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Appendix A - Vendor Information



Below is a list of the vendors who have provided information for this

advisory. We will update this appendix as we receive additional information.

If you do not see your vendor's name, the CERT/CC did not hear from that

vendor. Please contact the vendor directly.



Apache

======

None of the beta releases of Apache for Win32 are vulnerable to this

particular problem.





Microsoft

=========

Microsoft IIS 4.0 and PWS 4.0 with the appropriate patch are not

vulnerable.



IIS 4.0 and PWS 4.0 maintain certain configuration information about

directories and files in a database called the metabase. The metabase does

not contain file permissions, but rather Web server-specific information

such as requiring SSL encryption, proxy cache setting, and PICS ratings.

Actual file and directory permissions are enforced by NTFS and are not

affected by this problem.



Earlier version of IIS and PWS are not vulnerable to this issue.



Microsoft has made available a market bulletin for this issue that is

available on "Advisories and Solutions" section of the Microsoft Security

Advisor web site, http://www.microsoft.com/security. Please consult this

bulletin for information on obtaining the patch.





National Center for Supercomputing Applications (NCSA)

======================================================

The NCSA HTTPd web server does not run on Windows NT.  Note that HTTPd

is now an unsupported software product of the National Center for

Supercomputing Applications.





Netscape

========

Netscape has provided the following updated information addressing the

vulnerability described in this advisory.



   Enterprise Server 3.51 - This server is not vulnerable to this attack.

   Enterprise Server 3.0 - A patch has been created to fix the problem. It

   can be found off of help.netscape.com.

   FastTrack Server 2.01 - A patch has been created to fix the problem.

   FastTrack Server 3.01 - A patch has been created to fix the problem.





O'Reilly & Associates, Inc.

===========================

O'Reilly WebSite Professional V1 and V2 and WebSite Standard V1.0e+ are not

vulnerable to this problem.





- -----------------------------------------------------------------------------

The CERT Coordination Center thanks David LeBlanc for his workaround suggestion.

- -----------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident Response

and Security Teams (see http://www.first.org/team-info/).





CERT/CC Contact Information

- ----------------------------

Email    cert@cert.org



Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

                and are on call for emergencies during other hours.



Fax      +1 412-268-6989



Postal address

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890

         USA



Using encryption

   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.

   Location of CERT PGP key

         http://ftp.cert.org/pub/CERT_PGP.key



Getting security information

   CERT publications and other security information are available from

        http://www.cert.org/

        http://ftp.cert.org/pub/



   CERT advisories and bulletins are also posted on the USENET newsgroup

        comp.security.announce



   To be added to our mailing list for advisories and bulletins, send

   email to

        cert-advisory-request@cert.org

   In the subject line, type

        SUBSCRIBE  your-email-address



- ---------------------------------------------------------------------------



Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



*CERT is registered in the U.S. Patent and Trademark Office.



- ---------------------------------------------------------------------------



This file: http://ftp.cert.org/pub/cert_advisories/CA-98.04.Win32.WebServers

           http://www.cert.org/pub/alerts.html







~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Dec.  9, 1998   Added vendor information for Netscape and

                O'Reilly & Associates, Inc.



Feb. 11, 1998   Advisory name change

                Updates to Solution Section III.B

                Added Acknowledgment





-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTAlVr9kb5qlZHQEQJ6tACgrJGM80EosWAYzSMC5s2+41kLbkAAoJ6+

O5nCsPMRKhOxNN0DRrU7jykj

=Qc10

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.