IIS 5: strange problems handling certain file names

From: [SANG] Peter A. Sang (PS@SANG.DE)
Date: 04/04/03

  • Next message: Berend-Jan Wever: "Seti@home information leakage and remote compromise" 
    Date:         Fri, 4 Apr 2003 15:15:33 +0200
From: "[SANG] Peter A. Sang" <PS@SANG.DE>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    # Hi Russ,
    # I hope this is the right place to ask, although it's not security
    related.
    # please forward it to ntbugtraq if you agree!
    # Thank you!
    # /Peter

    Win2k/IIS5 has (at least) two problems handling file names containing a
    comma (",").

    Came across it during installation of our new CMS that uses commas in
    filenames for statically published dynamic content:

    Example: A file is published as
    http://www.residenz-oberhausen.de/hotel.hws/p=en,home.htm
    ("p=en,home.htm" is the english home page, "p=de,home.htm" the german
    one and so on)
    To the best of my knowledge, this is a valid filename, and the same
    naming convention is used by several large content provider sites.

    Problem #1:
    It is not possible to enter e.g. "p=en,home.htm" as the default start
    document in IIS Manager snap-in. The entry is accepted, but does not
    work. When you close and reopen the snap-in, you'll find that the entry
    was garbled into 2 separate "start-documents": "p=en" and "home.htm" in
    this example.
    The comma is handled incorrectly as delimiter here!

    Problem #2:
    If we enable HTTP compression, only files without comma in their names
    are compressed in the "IIS temporary compressed files" folder *IF* they
    originated from a subdirectory without a dot (".").

    Sounds mad, here are my findings so far:

    http://www.residenz-oberhausen.de/p=de,conferencerooms,main.htm
    (compressed file is created as expected)
    http://www.residenz-oberhausen.de/test/p=de,conferencerooms,main.htm
    (compressed file is created as expected)

    http://www.residenz-oberhausen.de/hotel.hws/p=de,conferencerooms,main.ht
    m (compressed file is NOT created)
    But if I exchange "," in file name with ".", it works again!
    http://www.residenz-oberhausen.de/hotel.hws/p=de.conferencerooms.main.ht
    m (compressed file IS created)

    Hmmmm.... Anyone ever found this problem?

    Software: Win2K en, SP3 + most recent HFs, IISlockdown + URLscan
    installed

    Mit freundlichem Gruss,

    Peter A. Sang
    CCNP
    SANG Computersysteme GmbH * Kruppstr. 82-100 * 45145 Essen * Germany
    T: +49-201-82020-0 * F:-40 * http://sang.de * mailto:ps@sang.de
    * Microsoft Certified Partner - Internet/Intranet Specialist *

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by Prometric - More than testing, learning.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    http://www.prometric.com

    Prometric, part of The Thomson Corporation, is the leader in
    technology-enabled testing and assessment services for information
    technology certification, academic admissions, professional licensure and
    certifications, computer-based driver's licensing, and corporate testing.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Berend-Jan Wever: "Seti@home information leakage and remote compromise"