//////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////// ========================>> Security Advisory <<======================== //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////// ---------------------------------------------------------------------------- - Multiple vendors web server source code disclosure (8.3 name format vulnerability - Take II) ---------------------------------------------------------------------------- => Author: Ory Segal & Amit Klein - Sanctum inc. http://www.sanctuminc.com => Release date: 19/5/2002 (vendor was notified on 9/5/2002) => Vendor: General The following servers where found to be vulnerable: - Deerfield Website Pro 3.1.11.0 installed on Microsoft Win2K (SP2). - Other web servers were found to be vulnerable to this problem, but we did not yet verify the vulnerability to our full satisfaction. => Severity: Medium/High => CVE candidate: Not assigned yet. => Summary: Several web servers that support requests of files in their 8.3 format name can be tricked (under certain configurations) to present an unparsed server side script, whose file name is at least 3 characters long and whose file extension is at least 4 characters long (e.g. foo.jhtml) => Description: On Windows platforms, each "long file name" (file name which is not in DOS 8.3 format) has a "short file name" (in DOS 8.3 format) alternate name. For example, "longfilename.txt" (which is not in DOS 8.3 format) has an alternate file name "longfi~1.txt", and "name.jumbo" has an alternate file name "name~1.jum". The short file name is basically formed by taking the name part of the file name (all characters up to the extension), trimming it to 6 characters if necessary, and appending "~1" to it, and then trimming the extension to 3 characters if necessary. If there is already a file with that same (alternate) name in the directory, then the number (after the "~") is incremented until a free name is found. This scheme has one exception - if the name part is 1-2 characters long, then a different algorithm is used to produce the name part. Web servers typically associate a handler to a resource according to its extension. And typically when no handler is associated with a particular extension, a default handler is used which returns the raw file. Some (vulnerable) web servers, running on Windows platforms, fail to identify resources, which are requested in their alternate 8.3 format as such, and will simply try to serve these files in the standard manner. This means that the handler associated with the extension is invoked, and the file is served through this handler (other, non-vulnerable web servers refuse to serve files in the alternate 8.3 format). This has a severe security impact in the following configuration: - a scripting extension name is 4 or more characters long (e.g. jhtml/jhtm and shtml/shtm). - The trimmed extension (jht and sht) is not associated with the proper handler (usually, not associated with any handler). - The requested script name (excluding the extension) is longer than 2 characters. For example: hello.jhtml and helloworld.shtml In such case, when requesting the alternate file name (for the script resource), e.g. hello~1.jht and hellow~1.sht, the vulnerable web server does not identify the resource name as an alternate name for a long file name, and attempts to serve the resource in the standard way. The server first extracts the extension ("jht" and "sht"), then associate a handler to it (since no handler is defined for "sht" or "jht" the default handler will be used in both cases), and invoke the handler, which returns the file as-is, without running it. This means that the script source is returned to the client, instead of the output of the script invocation. => Solution: If you are running Deerfield WebSite Pro 3.1.11.0, upgrade to version 3.1.13.0, which is available at: http://www.deerfield.com/download/website/ => Workaround: 1. On NTFS (32-bit), you can disable the creation of the 8.3- compliant short file name for files with long file names by enabling (setting to 1) the "NtfsDisable8dot3NameCreation" registry key (registry path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSyst em\). However, this step may cause compatibility problems with 16-bit applications. 2. Associate the 8.3 format of the file extension with the same handler as the original file extension, e.g. if the extension in use is .jhtml, you should associate .jht with the same handler. => Note: The existence of this vulnerability in the aforementioned web servers was discovered by AppScan v3.0 - while running one of its "unknown vulnerability" tests. This vulnerability does not exist in any other scanner and is not yet registered in BugTraq or any other security resource. <<8.3_Advisory.txt>>
/////////////////////////////////////////////////////////////////////// ========================>> Security Advisory <<======================== /////////////////////////////////////////////////////////////////////// -------------------------------------------------------------------- Multiple vendors web server source code disclosure (8.3 name format vulnerability - Take II) -------------------------------------------------------------------- => Author: Ory Segal & Amit Klein - Sanctum inc. http://www.sanctuminc.com => Release date: 19/5/2002 (Vendor was notified on 9/5/2002) => Vendor: General The following servers where found to be vulnerable: - Deerfield Website Pro 3.1.11.0 installed on Microsoft Win2K (SP2). - Other web servers were found to be vulnerable to this problem, but we did not yet verify the vulnerability to our full satisfaction. => Severity: Medium/High => CVE candidate: Not assigned yet. => Summary: Several web servers that support requests of files in their 8.3 format name can be tricked (under certain configurations) to present an unparsed server side script, whose file name is at least 3 characters long and whose file extension is at least 4 characters long (e.g. foo.jhtml) => Description: On Windows platforms, each "long file name" (file name which is not in DOS 8.3 format) has a "short file name" (in DOS 8.3 format) alternate name. For example, "longfilename.txt" (which is not in DOS 8.3 format) has an alternate file name "longfi~1.txt", and "name.jumbo" has an alternate file name "name~1.jum". The short file name is basically formed by taking the name part of the file name (all characters up to the extension), trimming it to 6 characters if necessary, and appending "~1" to it, and then trimming the extension to 3 characters if necessary. If there is already a file with that same (alternate) name in the directory, then the number (after the "~") is incremented until a free name is found. This scheme has one exception - if the name part is 1-2 characters long, then a different algorithm is used to produce the name part. Web servers typically associate a handler to a resource according to its extension. And typically when no handler is associated with a particular extension, a default handler is used which returns the raw file. Some (vulnerable) web servers, running on Windows platforms, fail to identify resources, which are requested in their alternate 8.3 format as such, and will simply try to serve these files in the standard manner. This means that the handler associated with the extension is invoked, and the file is served through this handler (other, non-vulnerable web servers refuse to serve files in the alternate 8.3 format). This has a severe security impact in the following configuration: - a scripting extension name is 4 or more characters long (e.g. jhtml/jhtm and shtml/shtm). - The trimmed extension (jht and sht) is not associated with the proper handler (usually, not associated with any handler). - The requested script name (excluding the extension) is longer than 2 characters. For example: hello.jhtml and helloworld.shtml In such case, when requesting the alternate file name (for the script resource), e.g. hello~1.jht and hellow~1.sht, the vulnerable web server does not identify the resource name as an alternate name for a long file name, and attempts to serve the resource in the standard way. The server first extracts the extension ("jht" and "sht"), then associate a handler to it (since no handler is defined for "sht" or "jht" the default handler will be used in both cases), and invoke the handler, which returns the file as-is, without running it. This means that the script source is returned to the client, instead of the output of the script invocation. => Solution: If you are running Deerfield WebSite Pro 3.1.11.0, upgrade to version 3.1.13.0, which is available at: http://www.deerfield.com/download/website/ => Workaround: 1. On NTFS (32-bit), you can disable the creation of the 8.3- compliant short file name for files with long file names by enabling (setting to 1) the "NtfsDisable8dot3NameCreation" registry key (registry path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSyst em\). However, this step may cause compatibility problems with 16-bit applications. 2. Associate the 8.3 format of the file extension with the same handler as the original file extension, e.g. if the extension in use is .jhtml, you should associate .jht with the same handler. => Note: The existence of this vulnerability in the aforementioned web servers was discovered by AppScan v3.0 - while running one of its "unknown vulnerability" tests. This vulnerability does not exist in any other scanner and is not yet registered in BugTraq or any other security resource.
