Q179148: Settings May Not Be Applied with URL with Short Filename

Aleph One (aleph1@DFW.DFW.NET)
Fri, 23 Jan 1998 22:16:40 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Marcin Cieslak: "CDE: dtappgather on AIX"
Previous message: Grant Beattie: "(AUSCERT ESB-98.009) CERT Advisory CA-98.02 - Vulnerabilities in CDE"

ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/sfn-fix/

Settings May Not Be Applied with URL with Short Filename

---------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Internet Information Server version 4.0
- Microsoft Personal Web Server version 4.0
---------------------------------------------------------------------------

SYMPTOMS
========

Microsoft has been made aware of an issue in Internet Information Server
(IIS) 4.0 and Personal Web Server (PWS) 4.0 in which certain configuration
settings may not be applied when a URL with short file name equivalents is
requested. These configuration setting include restricting access by IP
address, PICS ratings, and requiring SSL encryption. Windows NT file
permissions (ACLs) are not affected.

Users are able to access certain directories or files through IIS 4.0 or
PWS 4.0 and bypass specific security settings such as SSL encryption.

CAUSE
=====

The Windows NT and Windows 95 file systems (FAT, FAT32, and NTFS) support
file names of up to 255 characters. To maintain compatibility with older,
non 32-bit applications, a short file name (called the 8.3 file name) is
created for each file. This short file name equivalent is used by older
applications to access directories and files with long names.
IIS 4.0 and PWS 4.0 maintain certain configuration information about
directories and files in a database called the metabase. The metabase
does not contain file permissions, but rather Web server-specific
information such as requiring SSL encryption, proxy cache setting, and
PICS ratings. Actual file and directory permissions are enforced by NTFS
and are not affected by this problem.

In certain cases when a URL is requested using the short file name, it
is possible that configuration properties specified in the metabase may
not be applied as expected. This issue only occurs where long file names
are used for directories or files, and specific metabase configuration
properties are set on those directories or files. File permissions by a
user or group using NTFS access control lists (ACL) are not affected.

STATUS
======

Microsoft has confirmed this to be a problem in Internet Information
Server version 4.0.

A supported fix is now available, but has not been fully regression-
tested and should be applied only to systems experiencing this specific
problem. Unless you are severely impacted by this specific problem,
Microsoft recommends that you wait for the next Service Pack that contains
this fix. Contact Microsoft Technical Support for more information.

Next message: Marcin Cieslak: "CDE: dtappgather on AIX"
Previous message: Grant Beattie: "(AUSCERT ESB-98.009) CERT Advisory CA-98.02 - Vulnerabilities in CDE"