Web Servers and File Systems
Thursday, July 2, 1998 by Dave Winer.
Yesterday I got a call from Jay Allard at Microsoft, he's the man responsible for their IIS web server. We had a long talk about how to handle security holes in their operating system, notification of other server vendors, etc.
During the conversation, he teased me, saying that they had found another source code revealing hole in Windows. I asked for details and he declined, understandably, not wanting to offer the recipe until they had a defense in place.
Well, literally minutes after this conversation, a message started circulating on the net showing a new, very serious hole, in IIS, Allard's server, and I wonder if this is the one he was talking about.
Here's the recipe...
Add a cryptic string at the end of a URL to a script-generated page.
The cryptic string is ::$DATA.
So if you want the source code to Microsoft's home page:
It works for Perl code too:
Does this trick work on your server too? I'd check it out if I were you!
Note that as this hole becomes well-known, you may not actually get the source code with this trick. But as of 6:24AM Pacific on 7/2/98, you do.
A message to people who write web server software.
Don't depend on Microsoft to close the holes in Windows. You can and must do it for yourself. Roll up your sleeves and start coding.
You have to parse the URL yourself, and as you do so, walk the directory structure, and don't do any of the fancy stuff Windows does at the file system level.
We have source code that does this, we don't consider it proprietary, and we'll release it asap on the Scripting News home page.
And don't dis the Windows file system yet, it's legacy piled on legacy. Yesterday's hole was inherited from CP/M, a 20-year old operating system. Who knows where today's hole comes from? And tomorrow's.
At least on Windows, web servers and file systems are different things. Software has to take this into account.
PS: Microsoft could add a new API to Windows, one that turns a URL into a file spec. But it's hard to imagine developers trusting this API anytime soon.