Comments on: Windows Short (8.3) Filenames – A Security Nightmare? http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/ Web Vulnerability Scanner Thu, 23 May 2013 22:23:06 +0000 hourly 1 By: Rstar's Blog » IIS短文件/文件夹漏洞(汇总整理) http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-638 Rstar's Blog » IIS短文件/文件夹漏洞(汇总整理) Tue, 24 Jul 2012 08:24:56 +0000 http://www.acunetix.com/blog/?p=5987#comment-638 [...] Soroush Dalili的文章,这篇文章里暴露了两个问题。 [...]

]]> By: kolektory słoneczne http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-637 kolektory słoneczne Mon, 23 Jul 2012 07:33:45 +0000 http://www.acunetix.com/blog/?p=5987#comment-637 A interesting post right there mate . Thanks for posting !

]]> By: mark http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-636 mark Tue, 10 Jul 2012 07:59:23 +0000 http://www.acunetix.com/blog/?p=5987#comment-636 Applications should store backups in the hidden folders such as app_data, then the issue does not rise. It’s just an example of bad configuration if the backup files are in public folders that are exposed using http.

]]> By: IIS短文件/文件夹漏洞(汇总整理)- FreebuF.COM http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-635 IIS短文件/文件夹漏洞(汇总整理)- FreebuF.COM Mon, 09 Jul 2012 05:15:50 +0000 http://www.acunetix.com/blog/?p=5987#comment-635 [...] Soroush Dalili的文章,这篇文章里暴露了两个问题。 [...]

]]> By: Bogdan Calin http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-634 Bogdan Calin Fri, 06 Jul 2012 08:19:00 +0000 http://www.acunetix.com/blog/?p=5987#comment-634 None that I’m aware of.

]]> By: Raphael http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-633 Raphael Fri, 06 Jul 2012 01:30:45 +0000 http://www.acunetix.com/blog/?p=5987#comment-633 Is there a SFN Disclosure Vulnerability about apache on windows?

]]> By: Alex http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-632 Alex Tue, 03 Jul 2012 19:28:23 +0000 http://www.acunetix.com/blog/?p=5987#comment-632 I really don’t think that relying on a long/complex filename instead of moving it out of web root represents any kind of security measure.
Specially in a wordpress plugin, since you can have a web server with directory listing set to on.

]]> By: Sad http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-631 Sad Tue, 03 Jul 2012 18:26:41 +0000 http://www.acunetix.com/blog/?p=5987#comment-631 Um, how is Linux affected by this problem? Linux doesn’t automatically create and translate DOS compatible filenames.

And the solution is simple, disallow tilde altogether via htaccess or simply disallow [a-Z]{cnt}~{0-9}

]]> By: Bogdan Calin http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-630 Bogdan Calin Tue, 03 Jul 2012 17:40:10 +0000 http://www.acunetix.com/blog/?p=5987#comment-630 Yes, Linux is not affected by this problem. However the backup problem was just an example. Any web application that is using the name of a file as a security measure will be affected by this.

]]> By: Simon SC http://www.acunetix.com/blog/web-security-zone/windows-short-8-3-filenames-web-security-problem/#comment-629 Simon SC Tue, 03 Jul 2012 16:08:11 +0000 http://www.acunetix.com/blog/?p=5987#comment-629 Interesting and useful advice. Of course, a solution would be to use a Linux or OS X computer running Apache — that would offer better protection against this. But the registry addition is a good nugget.

Also, maybe backups should be stored off-site?

]]>