Yes. It is possible to crash a web server hosted on a windows box using these "special" files. Usually the vulnerability comes from posting to a script that attempts to open a file based on the arguments passed to it, not just by asking for one of these files. (I think IIS isn't dumb enough to just try them outright anymore... but most people who write scripts and whatnot aren't aware of this legacy stuff.) I don't know about different web servers besides IIS, I haven't spent that much time fooling around with it...
-gabe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard M. Smith Sent: Wednesday, July 09, 2003 9:50 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Does the Windows AUX bug affect Web servers also? Is it possible to also crash a Web server hosted on a Windows box using a URL something like: http://www.somebody.com/aux If this particular URL is okay, maybe there are other URLs that will cause a crash. For example, POSTing a form to a URL containing AUX. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
