lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Feb 2004 09:11:40 -0700
From: "J." <jeruvy@...w.ca>
To: 'Alun Jones' <alun@...is.com>
Cc: bugtraq@...urityfocus.com
Subject: RE: Apache Http Server Reveals Script Source Code to Remote Users And
 Any Users Can Access The Forbidden Directory ("/WEB-INF/")


I don't acknowledge this.

I tested this with Windows XPsp1 running IE 6.0.2800 with latest
patches.  Running on the latest build of Apache server on the same box.

IE knew the difference between 'web-inf..' And 'web-inf.' and
'web-inf...' (so did apache).  Matter of a fact creating separate pages
with these names resulted in separate loading.

Perhaps your 'claim' can be further substatiated by what 'you' are doing
to IE to cause this.

J.


:> -----Original Message-----
:> From: Alun Jones [mailto:alun@...is.com] 
:> Sent: Thursday, February 12, 2004 5:32 PM
:> To: 'Peter J. Holzer'; bugtraq@...urityfocus.com
:> Subject: RE: Apache Http Server Reveals Script Source Code 
:> to Remote Users And Any Users Can Access The Forbidden 
:> Directory ("/WEB-INF/")
:> 
:> 
:> > -----Original Message-----
:> > From: Peter J. Holzer [mailto:hjp@....ac.at]
:> > Sent: Wednesday, February 11, 2004 6:50 AM
:> > 
:> > Right. On Unix "WEB-INF" and "WEB-INF.." are two 
:> different, legal file 
:> > names. On Windows, trailing dots seem to be ignored, so 
:> "WEB-INF" and 
:> > "WEB-INF.." are just two names for the same file. This 
:> also works if 
:> > the filename already has an extension, so for example 
:> "foo.html" and
:> > "foo.html....." are the same file, too. I wonder whether 
:> that can be
:> > exploited, too: Get the contents of a CGI script by requesting
:> > "foo.cgi."?
:> 
:> It's been done before - certainly in IIS, there was a bug 
:> where getting a "filename.asp." URL gave you the source of 
:> the ASP script.  Same for "filename.asp:$DATA".
:> 
:> Alun.
:> ~~~~
:> -- 
:> Texas Imperial Software   | Find us at http://www.wftpd.com or email
:> 1602 Harvest Moon Place   | alun@...is.com.
:> Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP 
:> servers. Fax/Voice +1(512)258-9858 | Try our NEW client 
:> software, WFTPD Explorer.
:> 
:> 




Powered by blists - more mailing lists