Definition

An malicious entity can confirm the existence of files and directories that have an 8.3 filename format. The 8.3 naming convention is used for compatibility purposes for old programs, but can be abused by an attacker in order to detect available files on the server.

By submitting requests containing a tilde character (“~”) and wildcard characters (“*” and “?”), it is possible to confirm whether or not a file or directory exists by observing the difference between HTTP responses. This may lead to an attacker accessing files that may contain sensitive information about the web application, the underlying architecture or the infrastructure that supports this application.

Impact Description

Attackers can use automated tools as an unauthenticated user to find short name of files and directories, and discover various old/alternate filenames that contain sensitive information. This may lead to a negative impact on the confidentiality and integrity of the systems associated with this application.

Risk Mitigation

If not required, disable 8.3 file name creation on the server.

Instructions to do so can be found at the following location: o https://support.microsoft.com/en-gb/help/121007/how-to-disable-8-3-file-namecreation-on-ntfs-partitions

Please note that this does not remove already existing files