httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Kluft <>
Subject CIAC advisory about NT web servers
Date Sat, 31 Jan 1998 02:00:03 GMT
CIAC sent this advisory about vulnerabilities of NT-based NS and IIS web
servers.   Since it appears to be a problem associated with NT in general,
someone with access to an Apache NT server may want to take a look at this.

Sorry about the long message... it was bordering on the decision whether or
not to send a URL.  This is important so I opted for the message.
Ian Kluft  KO6YQ PP-ASEL                                  Cisco Systems, Inc. (work) (home)          San Jose, CA

Forwarded message:
> Date: Fri, 30 Jan 1998 14:51:52 -0800 (PST)
> From: CIAC Mail User <>
> Message-Id: <>
> To:
> Subject: CIAC Bulletin I-025A: Windows NT based Web Servers File Access Vulnerability
> [  For Public Release  ]
>              __________________________________________________________
>                        The U.S. Department of Energy
>                     Computer Incident Advisory Capability
>                            ___  __ __    _     ___
>                           /       |     /_\   /
>                           \___  __|__  /   \  \___
>              __________________________________________________________
>                              INFORMATION BULLETIN
>              Windows NT based Web Servers File Access Vulnerability
> January 30, 1998 21:00 GMT                                       Number I-025A
> ______________________________________________________________________________
> PROBLEM:       Some Windows NT based web servers allow access to 8.3 format
>                filenames. This can allow unauthorized access to files via
>                their 8.3 compatible name.
> PLATFORM:      Microsoft Internet Information Server and Peer Web Server 4.0,
>                Netscape FastTrack 2.x
> DAMAGE:        By exploiting this vulnerability, remote users may gain
>                unauthorized access to files accessed by the web server.
> SOLUTION:      Apply the fixes listed in Section 3 of this advisory.
> ______________________________________________________________________________
> VULNERABILITY  Exploit information involving this vulnerability has been made
> ASSESSMENT:    publicly available.
> ______________________________________________________________________________
> Introduction
> ============
> Windows NT file systems support filenames of up to 255 characters.  For
> compatibility purposes, a short filename (the 8.3 filename) is usually
> created for each file, and can be used by older applications to access
> directories and files with long names.  Web server file protection of
> directories and files in long filename (not 8.3) formats can often allow
> access to the short name (8.3) equivalent without restriction.  Some
> Windows NT based Web servers base their access control check for permissions
> using the long filename only, and do not include the short name that may
> be used as an alias.  For example, if there was a file named
> noteightdotthree.htm, and it was protected at the file level by the web
> server (NOT the NTFS file system itself), the access of the short name
> noteig~1.htm is possible.  This also applies to directories.  Note that NTFS
> level file restrictions are always applied correctly because they are not
> inherently tied to the long name, but to the name stored on disk, which the
> long name references.  Some web servers allow you to set access permissions
> in places other than NTFS,  however it is the implementation of these controls
> that are causing the vulnerability.
> The characteristics of this vulnerability also appear in IIS 3.0 and PWS
> 3.0, but only at the directory level.  Using the long file name IIS or PWS
> 3.0 to protect an execute only directory inside a read-execute or read-only
> is not recommended.  Microsoft has stated that they do not consider it a
> bug, but a 'bad' practice.
> This vulnerability may easily affect other Windows NT based WWW servers.
> CIAC recommends that you check with your vendor to ensure your WWW server
> does not exhibit this characteristic.
> Problem
> =======
> This vulnerability permits attackers to gain unauthorized access to files
> on the Web server.  It may be used to download the source code of
> server scripts in some configurations.  If exploited it can give an
> intruder access to any file that the web server can access.
> Prevention
> ==========
> Microsoft IIS 4.0 and PWS 4.0
> ==============================
> Microsoft has developed a hot-fix to correct the problem.  CIAC has
> verified that the hot-fix corrects the problem described above, but has
> not done any regression testing. Instructions for installing it are
> available from Microsoft.  Microsoft recommends that you update your
> Emergency Repair Disk before you apply the patch, as they have not
> regression tested the hot-fix.
>  Microsoft's patch location:
> Windows NT 4.0 (CIAC recommends that Service Pack 3 is installed first):
> Microsoft IIS 3.0 and PWS 3.0
> ==============================
> Although Microsoft does not consider this a bug, CIAC recommends that you
> ensure directory access controls are not nested. Verify that WWW server
> protections are not being used to enforce protection for execute-only
> directories that reside in read-only or read-execute directories.
> Netscape FastTrack 2.x
> =======================
> Netscape will be producing patches.
> _______________________________________________________________________
> Thanks to:
> David LeBlanc <>
> Michael Howard <>
> _______________________________________________________________________
> CIAC, the Computer Incident Advisory Capability, is the computer
> security incident response team for the U.S. Department of Energy
> (DOE) and the emergency backup response team for the National
> Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
> National Laboratory in Livermore, California. CIAC is also a founding
> member of FIRST, the Forum of Incident Response and Security Teams, a
> global organization established to foster cooperation and coordination
> among computer security teams worldwide.
> CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
> can be contacted at:
>     Voice:    +1 510-422-8193
>     FAX:      +1 510-423-8002
>     STU-III:  +1 510-423-2604
>     E-mail:
> For emergencies and off-hour assistance, DOE, DOE contractor sites,
> and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
> 8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
> or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
> Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
> duty person, and the secondary PIN number, 8550074 is for the CIAC
> Project Leader.
> Previous CIAC notices, anti-virus software, and other information are
> available from the CIAC Computer Security Archive.
>    World Wide Web:
>                         (or -- they're the same machine)
>    Anonymous FTP:
>                         (or -- they're the same machine)
>    Modem access:        +1 (510) 423-4753 (28.8K baud)
>                         +1 (510) 423-3331 (28.8K baud)
> CIAC has several self-subscribing mailing lists for electronic
> publications:
> 1. CIAC-BULLETIN for Advisories, highest priority - time critical
>    information and Bulletins, important computer security information;
> 2. SPI-ANNOUNCE for official news about Security Profile Inspector
>    (SPI) software updates, new features, distribution and
>    availability;
> 3. SPI-NOTES, for discussion of problems and solutions regarding the
>    use of SPI products.
> Our mailing lists are managed by a public domain software package
> called Majordomo, which ignores E-mail header subject lines. To
> subscribe (add yourself) to one of our mailing lists, send the
> following request as the E-mail message body, substituting
> ciac-bulletin, spi-announce OR spi-notes for list-name:
> E-mail to or
>         subscribe list-name
>   e.g., subscribe ciac-bulletin
> You will receive an acknowledgment email immediately with a confirmation
> that you will need to mail back to the addresses above, as per the
> instructions in the email.  This is a partial protection to make sure
> you are really the one who asked to be signed up for the list in question.
> If you include the word 'help' in the body of an email to the above address,
> it will also send back an information file on how to subscribe/unsubscribe,
> get past issues of CIAC bulletins via email, etc.
> PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
> communities receive CIAC bulletins.  If you are not part of these
> communities, please contact your agency's response team to report
> incidents. Your agency's team will coordinate with CIAC. The Forum of
> Incident Response and Security Teams (FIRST) is a world-wide
> organization. A list of FIRST member organizations and their
> constituencies can be obtained via WWW at
> This document was prepared as an account of work sponsored by an
> agency of the United States Government. Neither the United States
> Government nor the University of California nor any of their
> employees, makes any warranty, express or implied, or assumes any
> legal liability or responsibility for the accuracy, completeness, or
> usefulness of any information, apparatus, product, or process
> disclosed, or represents that its use would not infringe privately
> owned rights. Reference herein to any specific commercial products,
> process, or service by trade name, trademark, manufacturer, or
> otherwise, does not necessarily constitute or imply its endorsement,
> recommendation or favoring by the United States Government or the
> University of California. The views and opinions of authors expressed
> herein do not necessarily state or reflect those of the United States
> Government or the University of California, and shall not be used for
> advertising or product endorsement purposes.
> LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
> I-015: SGI IRIX Vulnerabilities (syserr and permissions programs)
> I-016: SCO  /usr/bin/X11/scoterm Vulnerability
> I-017: statd Buffer Overrun Vulnerability
> I-018: FTP Bounce Vulnerability
> I-019: Tools Generating IP Denial-of-Service Attacks
> I-020: Cisco 7xx password buffer overflow - DOS
> I-021: "smurf" IP Denial-of-Service Attacks
> I-022: IBM AIX "routed" daemon Vulnerability
> I-023: Macro Virus Update
> I-024: CGI Security Hole in EWS1.1 Vulnerability
> Version: 4.0 Business Edition
> XveNQ6lPPRTi1RK7gZQZgtWG0P2N6UAF5LyXzMZCh4XpiXwfghN0A7/1sI5GBAF0
> tQwrHbbAEpo=
> =Q35R

View raw message