Short File Naming Enabled

  • PCI 3.2-6.5.8
  • CAPEC 87
  • WASC 34
  • OWASP 2013-A7

It is possible to detect short names of files and directories which have an 8.3 file naming scheme equivalent in Windows by using some vectors in several versions of Microsoft IIS. For instance, it is possible to detect all short-names of ".aspx" files as they have 4 letters in their extensions.

This can be a major issue especially for the .NET websites which are vulnerable to direct URL access as an attacker can find important files and folders that they are not normally visible.

  1. Set value to "1" of the NtfsDisable8dot3NameCreation registry key in HKLM\SYSTEM\CurrentControlSet\Control\FileSystem

  2. Open the Command Line with administrator rights and run the following command based on the operating system.

    • For Windows Server 2012 and after

      C:\Windows\System32>FSUTIL.exe 8dot3name set C: 1

    • For Windows Server 2008 and before

      C:\Windows\System32>FSUTIL.exe behavior set disable8dot3 1

Go Back to List

Search Vulnerability

You may also see