[reformatted for better readability] On 2004-02-14 09:11:40 -0700, J. wrote: > :> From: Alun Jones [mailto:alun@xxxxxxxxx] > :> > :> > -----Original Message----- > :> > From: Peter J. Holzer [mailto:hjp@xxxxxxxxx] > :> > > :> > Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal > :> > file names. On Windows, trailing dots seem to be ignored, so > :> > "WEB-INF" and "WEB-INF.." are just two names for the same file. > :> > This also works if the filename already has an extension, so for > :> > example "foo.html" and "foo.html....." are the same file, too. I > :> > wonder whether that can be exploited, too: Get the contents of a > :> > CGI script by requesting "foo.cgi."? > :> > :> It's been done before - certainly in IIS, there was a bug > :> where getting a "filename.asp." URL gave you the source of > :> the ASP script. Same for "filename.asp:$DATA". > > I don't acknowledge this. > > I tested this with Windows XPsp1 running IE 6.0.2800 with latest > patches. Running on the latest build of Apache server on the same box. > > IE knew the difference between 'web-inf..' And 'web-inf.' and > 'web-inf...' (so did apache). Matter of a fact creating separate pages > with these names resulted in separate loading. Alun wrote "there *was* a bug", which implies that is has been fixed. IE doesn't have anything to do with it it just sends the URL to the web server which serves some content. For static content, the server usually just tries to access a file and serves its content. It may impose additional rules, though. > Perhaps your 'claim' can be further substatiated by what 'you' are doing > to IE to cause this. I didn't do anything to IE. I just created a directory "testdir" and file "test.txt" and tried to access "testdir...." and "test.txt...." from cmd, which worked. That's why I claimed that "On Windows, trailing dots seem to be ignored". A web server on windows needs to take this into account, just like it has to take into account that filenames are case-insensitive. This was on Windows 2000, SP2 (oops, rather old - but that box is going to be reinstalled RSN anyway, says our Windows-Admin), so maybe it is fixed in WinXP or some W2K SP. hp -- _ | Peter J. Holzer | Shooting the users in the foot is bad. |_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't. | | | hjp@xxxxxxxxx | -- Gordon Schumacher, __/ | http://www.hjp.at/ | mozilla bug #84128
Attachment:
pgpuRphOvm1hz.pgp
Description: PGP signature