CERT^® Advisory CA-1998-04 Microsoft Windows-based Web Servers access via long file names

A complete revision history is at the end of this file.

An exploitation involving long file names on Microsoft Windows-based web servers has recently been described on public mailing lists. When files on the web server have names longer than 8.3 (8 characters plus a 3-character extension), users can gain unauthorized access to files protected solely by the web server.

The CERT/CC team recommends installing patches from your vendor (see Section III.A and the appendix). Until you are able to do so, we urge you to use the workaround described in Section III.B.

We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site.

I. Description

All 32-bit Microsoft Windows operating systems (commonly known as Win32) can associate two different file names with a stored file, a short name and a long name. The short version, known as 8.3-compliant, is restricted to a length of 8 characters and an extension of 3 characters. This version is required for backward compatibility with DOS. The long version of the file name is not restricted to the 8.3-compliant format but is restricted to a total length of 255 characters.

When Win32 stores a file with a short name (i.e., 8.3-compliant), it associates only that short file name with the file. However, when Win32 stores a file with a long name (i.e., greater than 8 characters), it associates two versions of the file name with the file--the original, long file name and an 8.3-compliant short file name that is derived from the long name in a predictable manner.

Example:

The 8.3-compliant short file name "Abcdefgh.xyz" is represented

1. as is: "Abcdefgh.xyz".

However, the long file name "Abcdefghijk.xyz" is represented:

1. as is: "Abcdefghijk.xyz" and
2. as 8.3-compliant: "Abcdef~1.xyz".

Some Win32-based web servers have not compensated for the two file name versions when restricting access to files that have long names. The web servers attempt to restrict access by building an internal list of restricted file names. However, for files with long names, only the long, and not the short, file name is added to this internal list. This leaves the file unprotected by the web server because the file is still accessible via the short file name.

For example, "Abcdefgh.xyz" (short) would be protected by the web server, but "Abcdefghijk.xyz" (long) would not be completely protected by the web server.

II. Impact

Users are able to gain unauthorized access to files protected solely by the web server.

III. Solution

CERT/CC urges you to immediately apply vendor patches if they are available. Until you are able to do so, we urge you to use the workaround described in Section B.

Obtain and install a patch for this problem.

Appendix A contains input from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly.

Until you are able to install the appropriate patch, we recommend the following workaround.

1. Use only 8.3-compliant short file names for the files that you want to have protected solely by the web server. On FAT file systems (16-bit) this can be enforced by enabling (setting to 1) the "Win31FileSystem" registry key (registry path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\).

2. On NTFS (32-bit), you can disable the creation of the 8.3-compliant short file name for files with long file names by enabling (setting to 1) the "NtfsDisable8dot3NameCreation" registry key (registry path: HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\FileSystem\). However, this step may cause compatibility problems with 16-bit applications.

3. Use NTFS-based ACLs (directory or file level access control lists) to augment or replace web server-based security.

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly.

Apache

None of the beta releases of Apache for Win32 are vulnerable to this particular problem.

Microsoft

Microsoft IIS 4.0 and PWS 4.0 with the appropriate patch are not vulnerable.

IIS 4.0 and PWS 4.0 maintain certain configuration information about directories and files in a database called the metabase. The metabase does not contain file permissions, but rather Web server-specific information such as requiring SSL encryption, proxy cache setting, and PICS ratings. Actual file and directory permissions are enforced by NTFS and are not affected by this problem.

Earlier version of IIS and PWS are not vulnerable to this issue.

Microsoft has made available a market bulletin for this issue that is available on "Advisories and Solutions" section of the Microsoft Security Advisor web site, http://www.microsoft.com/security. Please consult this bulletin for information on obtaining the patch.

National Center for Supercomputing Applications (NCSA)

The NCSA HTTPd web server does not run on Windows NT. Note that HTTPd is now an unsupported software product of the National Center for Supercomputing Applications.

Netscape

Netscape has provided the following updated information addressing the vulnerability described in this advisory.

   Enterprise Server 3.51 - This server is not vulnerable to this attack.
   Enterprise Server 3.0 - A patch has been created to fix the problem. It can be found off of help.netscape.com.
   FastTrack Server 2.01 - A patch has been created to fix the problem.
   FastTrack Server 3.01 - A patch has been created to fix the problem.

O'Reilly & Associates, Inc.

O'Reilly WebSite Professional V1 and V2 and WebSite Standard V1.0e+ are not vulnerable to this problem.

The CERT Coordination Center thanks David LeBlanc for his workaround suggestion.

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 1998 Carnegie Mellon University.

Dec.  9, 1998  Added vendor information for Netscape and O'Reilly & Associates, Inc.
Feb. 11, 1998  Advisory name change, updates to Solution Section III.B, added Acknowledgment.