Title: NT Webserver Long File Name Access Protection Vulnerability
Severity: MODERATE
Description:
All 32-bit Microsoft Windows operating systems (commonly known as Win32) can associate two different file names with a stored file, a short name and a long name. The short version, known as 8.3-compliant, is restricted to a length of 8 characters and an extension of 3 characters. This version is required for backward compatibility with DOS. The long version of the file name is not restricted to the 8.3-compliant format but is restricted to a total length of 255 characters.
When Win32 stores a file with a short name (i.e., 8.3-compliant), it associates only that short file name with the file. However, when Win32 stores a file with a long name (i.e., greater than 8 characters), it associates two versions of the file name with the file--the original, long file name and an 8.3-compliant short file name that is derived from the long name in a predictable manner.
Example:
The 8.3-compliant short file name "Abcdefgh.xyz" is represented
1.as is: "Abcdefgh.xyz".
However, the long file name "Abcdefghijk.xyz" is represented:
1.as is: "Abcdefghijk.xyz" and
2.as 8.3-compliant: "Abcdef~1.xyz".
Some Win32-based web servers have not compensated for the two file name versions when restricting access to files that have long names. The web servers attempt to restrict access by building an internal list of restricted file names. However, for files with long names, only the long, and not the short, file name is added to this internal list. This leaves the file unprotected by the web server because the file is still accessible via the short file name.
For example, "Abcdefgh.xyz" (short) would be protected by the web server, but "Abcdefghijk.xyz" (long) would not be completely protected by the web server.
Affected Products:
- Netscape Enterprise Server 3.0.0
- Netscape FastTrack Server 2.0.1
- Netscape FastTrack Server 3.0.1
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
