Re: data stream bug still alive?
From: 3APA3A (3APA3A@SECURITY.NNOV.RU)Date: 10/27/01
- Previous message: NDR113: "data stream bug still alive?"
- In reply to: NDR113: "data stream bug still alive?"
- Next in thread: Javier Abdul Córdoba Gándara: "RE: data stream bug still alive?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Oct 2001 10:38:31 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> Message-ID: <105372966.20011027103831@SECURITY.NNOV.RU> To: "NDR113" <ndr113@350cc.com> Subject: Re: data stream bug still alive?
Hello NDR113,
If you have PHP pages handled by ISAPI filter it may be a
problem oh ISAPI filter which comes with PHP 4. Check php
logs - if PHP is called on request to
http://www.server.com/file.php::$DATA - it's PHP specific
problem.
--Saturday, October 27, 2001, 2:00:52 AM, you wrote to vuln-dev@securityfocus.com:
N> Data Stream Bug may still work (on a unsual configuration)
N> [===================================]
N> + Past Problem
N> The Windows NT file system, NTFS, support multiple data streams within a
N> file, been DATA the main content stream.
N> Was reported on July 8, 1998 by Paul Ashton on this mailing list the
N> posibility of get remotely by IIS the source code of files like an ASP
N> script. This was done by requesting the file and ::$DATA. Microsoft relase a
N> fix, and the problem was solve on the subsequent Service Packs for Windows
N> NT.
N> + Present Problem
N> Yet, this problem -it seems to us- that on some unusual configuration as a
N> Windows NT box, with IIS and PHP scripting, persist. In our tests on two
N> separete Windows NT boxes, with IIS 4, PHP4, the fix available for the bug
N> and the latest SP6a, is still possible to obtain the source of PHP files.
N> eg. http://www.server.com/file.php::$DATA
N> + Implications
N> Besides the obvious vulnerability, this show that the fix given by Microsoft
N> far from solving the real problem, it just did the the "workarounds" on the
N> registry on how to manage specific extensions (.asp, .pl, and so on)
N> excluding .php.
N> + Final
N> Anyone how can confirm or refute this please post it.
N> + More Informtion
N> ":$DATA Stream Name of a File May Return Source"
N> http://support.microsoft.com/support/kb/articles/Q188/8/06.ASP
N> "HOW TO: Use NTFS Alternate Data Streams"
N> http://support.microsoft.com/support/kb/articles/Q105/7/63.ASP
N> Roberto Alamos M. (theye@350cc.com)
N> Carlos Gaona U. (ndr113@350cc.com)
N> www.350cc.com
-- ~/ZARAZA Êîãäà ïòè÷êà ïîãèáàåò îò îáæîðñòâà, åå íàíèçûâàþò íà âåðòåë. (Ëåì)
- Previous message: NDR113: "data stream bug still alive?"
- In reply to: NDR113: "data stream bug still alive?"
- Next in thread: Javier Abdul Córdoba Gándara: "RE: data stream bug still alive?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
