logo

Path Equivalence: Windows 8.3 Filename

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application's security controls successfully block access to a file's full name on Windows, but fail to protect the shorter 8.3 format version of the same filename, creating a bypassable loophole.

Extended Description

Windows maintains backward compatibility by automatically generating a short 8.3 filename (like 'DOCUME~1.TXT') for files with longer names. This creates two distinct paths to the same file. If your access control checks only validate the long filename, attackers can simply use the equivalent short name to bypass your restrictions. This is a classic path equivalence flaw where the system sees 'LONGFILENAME.DOC' and 'LONGFI~1.DOC' as different strings, even though they point to the same underlying resource. Developers must normalize and validate both naming formats in their security logic to close this gap.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Files or DirectoriesModify Files or Directories
Potential Mitigations 1
Phase: System Configuration
Disable Windows from supporting 8.3 filenames by editing the Windows registry. Preventing 8.3 filenames will not remove previously generated 8.3 filenames.
Observed Examples 3
CVE-1999-0012Multiple web servers allow restriction bypass using 8.3 names instead of long names
CVE-2001-0795Source code disclosure using 8.3 file name.
CVE-2005-0471Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format.
References 2
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
ID: REF-7
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Functional Areas
  1. File Processing
Affected Resources
  1. File or Directory
Related Weaknesses
ChildOf: Improper Resolution of Path Equivalence (CWE-41)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns
Notes
Research GapProbably under-studied.