Security Hole in Windows

My response to Dave Winer's Security Hole in Windows Web Servers DaveNet.

I don't know what the exact mechanism of the bug is, but I'd imagine it's something like this: Web server looks for extension on the file, sees that it's not ".asp" (it's ".asp."), so it passes it off to the code that sends the file to the client. That code asks Windows to open the file, Windows does, because it has such brain-dead handling of periods in filenames, and therefore the file gets sent to the client.

So far as the application knows, the file name is just fine and valid. After all, Windows allowed it to be opened, and it didn't have a ".asp" extension.

Laying this one on the software vendors is the worst abrogation of responsibility I've seen yet. There's no reason that an application program should have to duplicate that much of the functionality of a basic file system in order to handle general cases that the OS is incapable of dealing with.

What other hidden conditions cause the OS to give me back a file handle when it shouldn't? Where does Microsoft document these conditions so that I can explicity check for them?

On the other hand, this is consistent with Microsoft's half-assed approach to API implementation, as anyone who's shipped code for one of their OSs can tell you.

Thanks for the great resource, keep up the good work, feel free to reproduce this in whole or part as you see fit.


Wednesday, July 01st, 1998 danlyke@flutterby.com