Title: Multiple Vendor 8.3 Filename Vulnerability
Severity: LOW
Description:
32bit Windows operating systems support long filenames, but also offer a means of compatibility with the older 8.3 filenames required by previous versions of DOS and Windows. This leads to problems with programs that have their own internal file security mechanisms.
In the Netscape, vqServer and Xitami webservers, restrictions applied to directories with long filenames will be ignored if the 8.3 version of the filename is requested. For example, if directory listing is enabled for c:\webroot\ and disabled for c:\webroot\longsubdir\ , a GET request for h t t p://server/longsubdir/ will fail, as expected. However, a GET request for h t t p://server/longsu~1/ will succeed.
In Serv-U, the 'cwd' and 'site exec' commands are susceptible to a similar vulnerability. If the execute permission is enabled for c:\ftproot\ and disabled for c:\ftproot\longsubdir\, and an executable is placed in C:\ftproot\longsubdir\, the command 'site exec C:\ftproot\longsubdir\example.exe' will fail, but 'site exec C:\ftproot\longsu~1\example.exe will work and the executable will be running.
As this is a problem with the maintenance of two different filesystem conventions in Windows32, the Windows 3.1 and non-Windows versions of these packages are not affected.
Other Windows32-based HTTP and FTP servers may have the same or similar vulnerabilities. If you are aware of any not listed here, please email us at: vuldb@securityfocus.com
Affected Products:
- Cat Soft Serv-U 2.5.0
- Cat Soft Serv-U 2.5.0a
- Imatix Xitami for Windows 2.4.0 d2
- Netscape Enterprise Server 3.0.0
- Netscape FastTrack Server 2.0.1
- Netscape FastTrack Server 3.0.1
- vqSoft vqServer for Windows 1.9.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
