RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")
If you'll read my message more carefully, you'll note that at no time did I
say "I can reproduce this bug with Apache right now". I said that, in the
past, web servers have been exploited by requesting files with differently
formatted names that Windows resolves to the same target.
Notice also, that you are incorrect when you assign this as being an IE
behaviour. IE doesn't remove the terminating dots in a file name - and
indeed it should not. It is the web server, that accesses the file system,
that ends up opening "filename.asp." and thereby inadvertently turning the
name into "filename.asp", that would have such an error.
IIS has not exhibited this behaviour for a considerable time, IIRC.
Alun.
~~~~
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place | alun@xxxxxxxxxx
Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
> -----Original Message-----
> From: J. [mailto:jeruvy@xxxxxxx]
> Sent: Saturday, February 14, 2004 10:12 AM
> To: 'Alun Jones'
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Apache Http Server Reveals Script Source Code to
> Remote Users And Any Users Can Access The Forbidden Directory
> ("/WEB-INF/")
>
> I don't acknowledge this.
>
> I tested this with Windows XPsp1 running IE 6.0.2800 with latest
> patches. Running on the latest build of Apache server on the
> same box.
>
> IE knew the difference between 'web-inf..' And 'web-inf.' and
> 'web-inf...' (so did apache). Matter of a fact creating
> separate pages
> with these names resulted in separate loading.
>
> Perhaps your 'claim' can be further substatiated by what
> 'you' are doing
> to IE to cause this.
>
> J.
>
>
> :> -----Original Message-----
> :> From: Alun Jones [mailto:alun@xxxxxxxxx]
> :> Sent: Thursday, February 12, 2004 5:32 PM
> :> To: 'Peter J. Holzer'; bugtraq@xxxxxxxxxxxxxxxxx
> :> Subject: RE: Apache Http Server Reveals Script Source Code
> :> to Remote Users And Any Users Can Access The Forbidden
> :> Directory ("/WEB-INF/")
> :>
> :>
> :> > -----Original Message-----
> :> > From: Peter J. Holzer [mailto:hjp@xxxxxxxxx]
> :> > Sent: Wednesday, February 11, 2004 6:50 AM
> :> >
> :> > Right. On Unix "WEB-INF" and "WEB-INF.." are two
> :> different, legal file
> :> > names. On Windows, trailing dots seem to be ignored, so
> :> "WEB-INF" and
> :> > "WEB-INF.." are just two names for the same file. This
> :> also works if
> :> > the filename already has an extension, so for example
> :> "foo.html" and
> :> > "foo.html....." are the same file, too. I wonder whether
> :> that can be
> :> > exploited, too: Get the contents of a CGI script by requesting
> :> > "foo.cgi."?
> :>
> :> It's been done before - certainly in IIS, there was a bug
> :> where getting a "filename.asp." URL gave you the source of
> :> the ASP script. Same for "filename.asp:$DATA".
> :>
> :> Alun.
> :> ~~~~
> :> --
> :> Texas Imperial Software | Find us at
> http://www.wftpd.com or email
> :> 1602 Harvest Moon Place | alun@xxxxxxxxxx
> :> Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP
> :> servers. Fax/Voice +1(512)258-9858 | Try our NEW client
> :> software, WFTPD Explorer.
> :>
> :>
>