Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Synchronet Synchronet
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 222
    • Issues 222
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 1
    • Merge requests 1
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

This GitLab instance has migrated as of Nov-5-2022 to a new server: hardware, OS, SSH key

The v3.20a development branch has now been merged to the master branch. Sysops upgrading from earlier versions must run 'jsexec update'

  • MainMain
  • SynchronetSynchronet
  • Issues
  • #269
Closed
Open
Issue created Jun 04, 2021 by Rob Swindell@rswindell💬Owner

NTFS Alternate Data Stream vulnerability leaks webctrl.ini content

With Windows NTFS, appending "::$DATA" to a filename is an alternate name for accessing a file's contents (data).

This can be used in the Synchronet web server to defeat filename security checks, e.g. http://vert.synchro.net/members/webctrl.ini - fails with the expected error "403 Forbidden" while http://vert.synchro.net/members/webctrl.ini::$DATA - returns the contents of the sysop's members/webctrl.ini file

There are likely other instances of this type of vulnerability in the web server, so I wanted to have a discussion around a more wholistic solution than simply addressing this one-off example (which would require only a trivial change to websrvr.c).

Assignee
Assign to
Time tracking