4

Several web applications I tested have the behavior that reserved Windows filenames such as AUX, CON, NUL, PRN, COM1, LPT1 have different behavior than other pages. For example, http://example.com/foo will give a 404, where http://example.com/aux will give an 500 error.

What causes this behavior? Does this indicate a security problem?

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • 1
    I've seen this quite a lot, but haven't managed to deduce anything beyond "it's running IIS" from it. However, it would be really useful if someone did know more. – Matthew Feb 20 '17 at 09:11
  • I believe more information about the system is required to provide a meaningful answer, for example are you really running IIS? which version? Still, from the looks of it I would treat it as a configuration "caveat" and not as a security concern, perhaps SuperUser is a better place for this unless you're wondering about fingerprinting the OS (in which case I would reword the question) – Purefan Feb 20 '17 at 09:35

1 Answers1

2

By default on an IIS server the path of a URL is validated by using the same rules that determine whether a Windows file system path is valid. So this is the reason why http://example.com/aux can give an 500 (aux is an invalid directory name) but http://example.com/foo a 404 (foo is ok). This behavior can be disabled by setting relaxedUrlToFileSystemMapping = true in web.config.

Apart from a possible small information disclosure that you are running an IIS server there is no security problem.

40F4
  • 932
  • 6
  • 16