open https://gitlab.synchro.net/main/sbbs/-/issues/269

With Windows NTFS, appending "::$DATA" to a filename is an alternate name for accessing a file's contents (data).This can be used in the Synchronet web server to defeat filename security checks, e.g.http://vert.synchro.net/members/webctrl.ini - fails with the expected error "403 Forbidden" whilehttp://vert.synchro.net/members/webctrl.ini::$DATA - returns the contents of the sysop's members/webctrl.ini fileThere are likely other instances of this type of vulnerability in the web server, so I wanted to have a discussion around a more wholistic solution than simply addressing this one-off example (which would require only a trivial change to websrvr.c).
--- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/issues/269#note_2011

Surprised it doesn't give a 404 error since the "file" doesn't exist. It's pretty insane if state() and/or access() or whatever the web server uses allows it. A quick web search doesn't show any generic solutions.
--- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/issues/269#note_2012

Yup, stat() and access() allow it. It is insane.
--- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/issues/269#note_2013

For more info: https://nvd.nist.gov/vuln/detail/CVE-1999-0278
--- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

close https://gitlab.synchro.net/main/sbbs/-/issues/269
--- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Subject: Re: NTFS Alternate Data Stream vulnerability leaks webctrl.ini content @MSGID: <60BF7F75.25129.dove.sync_sys@realitycheckbbs.org>
@REPLY: <60BAA1C7.50426.sync_sys@vert.synchro.net>
@TZ: c1e0

Rob Swindell wrote to GitLab issue in main/sbbs <=-

open https://gitlab.synchro.net/main/sbbs/-/issues/269

With Windows NTFS, appending "::$DATA" to a filename is an alternate
name for accessing a file's contents (data).

I saw a change to websrvr.c in the commit log - has there been any examples
of exploits in the wild of this vulnerability, and should we be upgrading sooner rather than later or wait for the bigger picture solution you
refer to?


... Abandon desire
--- MultiMail/DOS v0.52
� Synchronet � realitycheckBBS -- http://realitycheckBBS.org
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re: NTFS Alternate Data Stream vulnerability leaks webctrl.ini content
By: poindexter FORTRAN to Rob Swindell on Sun Jun 06 2021 10:03 am

With Windows NTFS, appending "::$DATA" to a filename is an alternate name for accessing a file's contents (data).

I saw a change to websrvr.c in the commit log - has there been any examples of exploits in the wild of this vulnerability, and should we be upgrading sooner rather than later or wait for the bigger picture solution you
refer to?

No, none that I'm aware of. The only vulnerability I imagined was the leaking of the contents of scripts (e.g. .xjs or .ssjs files) and webctrl.ini files. Most sysops probably don't think that stuff is too confidential to work much about.
--
digital man

Sling Blade quote #2:
Karl (re: killing Doyle): I hit him two good whacks in the head with it.
Norco, CA WX: 71.0�F, 53.0% humidity, 9 mph NNE wind, 0.00 inches rain/24hrs --- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)