Multiple vulnerabilities in popular Web servers
When a file is created on a Windows system, a DOS-compatible 8.3 short file name (hereafter referred to as ‘8.3 alias’) is generated for backwards compatibility reasons. Both names can be used to refer to the same file. Applications which allow users to specify file names on Windows systems should be aware of these aliases and handle them appropriately.
Often, by using 8.3 aliases for files, one can bypass IDS/IPS detection, and evade filters and file restrictions. This can be a result of the fact that only the long versions of file and folder names will be restricted and the alias will not match the long filename.
Referencing files using their 8.3 aliases can even change how the files are handled, due to truncation of the file extension in the event that the file extension is longer than three characters. This problem is exacerbated by the fact that intermediary systems used for things like load balancing and caching do not have access to the actual file system being accessed and need to convert any filenames and pathnames with restrictions to their 8.3 alias before comparing to user data, which, given the presence of other files or folders on the system with similar names, may not be possible.
Core Security released an advisory that describes multiples vulnerabilities based on quirks in how Windows handles file names. The affected software is the Windows version of the following web servers:
Nginx Web Server
The way Nginx handles files may differ when they are requested using their 8.3 alias, and short file or path names are not correctly handled when applying file handling rules or access restrictions. By abusing of these flaws an attacker can bypass security options implemented in the web server. For instance, file.shtml will become FILE~1.SHT. This will cause the file to be handled as a .sht file, not a .shtml file. The result of this is that instead of processing SSI directives as would normally be the case with a .shtml file, the file would be served unprocessed. Additionally, Nginx does not correctly handle extraneous spaces after file extensions when applying preprocessing rules or access restrictions.
Cherokee Web Server
On Cherokee Web Server for Windows, short file and folder names are not correctly handled when applying file handling rules, IP access restrictions or authentication rules. Extraneous trailing spaces in file names are not correctly handled when applying file handling rules or access restrictions. By abusing of these flaws, Cherokee configuration folders can be accessed from any IP, without authentication bypassing the web server security protection mechanisms.
Mongoose Web Server
Mongoose does not correctly handle Windows short file names (and folder names) when applying preprocessing rules or access restrictions. As a result, an attacker can bypass the web server security protection mechanisms, and protected files can be accessed unprocessed without authentication.
LightTPD Web Server
The WLMP build of LightTPD for Windows does not correctly handle Windows short file or path names when applying preprocessing rules, file extension restrictions or access restrictions. It also does not correctly handle extraneous trailing periods when applying file extension restrictions, but does properly apply preprocessing rules.
Vulnerable packages
- Nginx Web Server v0.7.63
- Nginx Web Server v0.8.29
- Cherokee Web Server v0.99.28
- Mongoose Web Server v2.8
- WLMP web server package for Windows v1.1.6.1171.
Older versions are probably affected too, but they were not checked.