Detail

Windows Short Filename

Severity: Low

Summary

Netsparker identified a Windows short file/folder name disclosure.

The vulnerability is caused by the tilde character (~) with the old DOS 8.3 name convention in an HTTP request. It allows a remote attacker to disclose file and folder names that is not supposed to be accessible.

Impact
Attackers could find important files that are normally not accessible from the outside and gain intelligence about the application infrastructure. This may cause the leakage of files containing sensitive information such as credentials, configuration files and maintenance scripts.
Remediation
  • For Windows Server 2012 and after

    1. Set value to "1" of the NtfsDisable8dot3NameCreation registry key in HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
    2. Open the Command Line with administrator rights and run the command below.

      C:\Windows\System32>FSUTIL.exe 8dot3name set C: 1
  • For Windows Server 2008 and before

    1. Set value to "1" of the NtfsDisable8dot3NameCreation registry key in HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
    2. Open the Command Line with administrator rights and run the command below.

      C:\Windows\System32>FSUTIL.exe behavior set disable8dot3 1
Classifications
PCI v3.1-6.5.8, PCI v3.2-6.5.8, CAPEC-87, WASC-34, OWASP 2013-A7
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO

NETSPARKER

WEB SECURITY

COMPANY

Netsparker Ltd

  • United Kingdom, (reg. no. 06947644)
  • USA Office: +1 415 877 4450
  • UK Office: +44 (0)20 3588 3840
  • contact@netsparker.com
Copyright © 2018 Netsparker Ltd. All rights reserved. | Privacy Policy