httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Vague ASP Vulnerability in WebSite and Netscape NT Servers (fwd)
Date Tue, 30 Jun 1998 00:28:19 GMT
Bastard.

Lets see... we now have 854 ways of having unnecessary filename variance
on Win32.

---------- Forwarded message ----------
Date: Mon, 29 Jun 1998 16:03:29 -0500
From: LR LeVally <webmaster@COUNTERPOINT.ORG>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Vague ASP Vulnerability in WebSite and Netscape NT Servers

At 02:31 AM 6/27/98 , David Kennedy CISSP wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>
>(Sorry about the subject, but at least it's accurate.)
>
>The San Diego Daily Transcript claims there's a vulnerability (maybe
>like dot-dot?) in Netscape and WebSite NT Servers:
>
>http://www.sddt.com/files/library/98/06/25/tbc.html
>
>I posted to O'Reilly's webconference (http://website.oreilly.com) and
>got a non-response of, "Yes, but it wouldn't be kosher to publish the
>details, now would it? :)" from one Mark Bracewell <markb@oreilly.com>
>
>After checking with our list owner, I'm giving everyone a heads up and
>maybe some "Hey, that's not good enough," directed towards O'Reilly
>will help them decide to provide some information to the user
>community.


O'Reilly *is* providing information via their mailing list, and
will be making a point-fix available in the next couple of days:



To: website-talk@list.ora.com
Subject: Re: Source code security bug status
From: "Bob Denny" <rdenny@dc3.com>
Date: Sat, 27 Jun 1998 07:15:28 -0700
References: <199806271145.XAA14553@Hestia.es.co.nz>

----------------------------------------------------------------------------
----

Drew Whittle wrote:
> The problem is with the webserver. (should
> be an easy fix tho.)

Yes, and yes. Actually, the problem arises from an NT/95/98 bug
where the CreateFile() system service (used for both opening and
creating files) will take a file name with a trailing space, then
it will open or create a file without the trailing space. Spaces
are allowed in file names. Therefore, this API should create the
file WITH the trailing space, and it should FAIL to open a file
with a trailing space unless a file with that name really exists.
It is a bug that the API will open/create a file with a DIFFERENT
name than was given to the system call.

What SHOULD have happened is that the system should have returned
an error when the filename with the trailing space was used to
open the document, resulting in a 404 Not Found from the
webserver. In 2.3, WebSite will rudely reject any filename with
trailing space(s) as not operating-system-safe.

  -- Bob



Mime
View raw message