lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 17 Feb 2004 21:26:58 +0100
From: "Peter J. Holzer" <hjp@....ac.at>
To: bugtraq@...urityfocus.com
Subject: Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")

[reformatted for better readability]

On 2004-02-14 09:11:40 -0700, J. wrote:
> :> From: Alun Jones [mailto:alun@...is.com] 
> :> 
> :> > -----Original Message-----
> :> > From: Peter J. Holzer [mailto:hjp@....ac.at]
> :> > 
> :> > Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal
> :> > file names. On Windows, trailing dots seem to be ignored, so
> :> > "WEB-INF" and "WEB-INF.." are just two names for the same file.
> :> > This also works if the filename already has an extension, so for
> :> > example "foo.html" and "foo.html....." are the same file, too. I
> :> > wonder whether that can be exploited, too: Get the contents of a
> :> > CGI script by requesting "foo.cgi."?
> :> 
> :> It's been done before - certainly in IIS, there was a bug 
> :> where getting a "filename.asp." URL gave you the source of 
> :> the ASP script.  Same for "filename.asp:$DATA".
>
> I don't acknowledge this.
> 
> I tested this with Windows XPsp1 running IE 6.0.2800 with latest
> patches.  Running on the latest build of Apache server on the same box.
> 
> IE knew the difference between 'web-inf..' And 'web-inf.' and
> 'web-inf...' (so did apache).  Matter of a fact creating separate pages
> with these names resulted in separate loading.

Alun wrote "there *was* a bug", which implies that is has been fixed.

IE doesn't have anything to do with it it just sends the URL to the web
server which serves some content. For static content, the server usually
just tries to access a file and serves its content. It may impose
additional rules, though.

> Perhaps your 'claim' can be further substatiated by what 'you' are doing
> to IE to cause this.

I didn't do anything to IE. I just created a directory "testdir" and
file "test.txt" and tried to access "testdir...." and "test.txt...."
from cmd, which worked. That's why I claimed that "On Windows, trailing
dots seem to be ignored". A web server on windows needs to take this
into account, just like it has to take into account that filenames are
case-insensitive.

This was on Windows 2000, SP2 (oops, rather old - but that box is going
to be reinstalled RSN anyway, says our Windows-Admin), so maybe it is
fixed in WinXP or some W2K SP.

	hp

-- 
   _  | Peter J. Holzer      | Shooting the users in the foot is bad. 
|_|_) | Sysadmin WSR / LUGA  | Giving them a gun isn't.
| |   | hjp@....ac.at        |	-- Gordon Schumacher,
__/   | http://www.hjp.at/   |     mozilla bug #84128

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists