lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <EA2F826214B88F4F93BC97ACB47386A401347E@act-exchange.ucsd.edu>
From: gabe at landq.org (Gabriel Lawrence)
Subject: Does the Windows AUX bug affect Web servers also?

Yes. It is possible to crash a web server hosted on a windows box using
these "special" files. Usually the vulnerability comes from posting to a
script that attempts to open a file based on the arguments passed to it,
not just by asking for one of these files. (I think IIS isn't dumb
enough to just try them outright anymore... but most people who write
scripts and whatnot aren't aware of this legacy stuff.) I don't know
about different web servers besides IIS, I haven't spent that much time
fooling around with it...

-gabe

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Richard M.
Smith
Sent: Wednesday, July 09, 2003 9:50 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Does the Windows AUX bug affect Web servers
also?

Is it possible to also crash a Web server hosted on a Windows box using
a URL something like:

    http://www.somebody.com/aux

If this particular URL is okay, maybe there are other URLs that will
cause a crash.  For example, POSTing a form to a URL containing AUX.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ