CVE-2002-1052 in Jigsaw
Summary
by MITRE
Jigsaw 2.2.1 on Windows systems allows remote attackers to use MS-DOS device names in HTTP requests to (1) cause a denial of service using the "con" device, or (2) obtain the physical path of the server using two requests to the "aux" device.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/10/2025
The vulnerability identified as CVE-2002-1052 affects Jigsaw web server version 2.2.1 running on Windows operating systems, representing a significant security flaw that exploits the server's handling of MS-DOS device names within HTTP requests. This vulnerability stems from the server's inadequate input validation and improper processing of special device names that are part of the Windows operating system's file system architecture. The issue specifically targets the server's response to device names such as "con", "aux", "prn", "lpt1", "com1", and others that are reserved in Windows for system devices rather than regular files. When these device names are included in HTTP requests, the server fails to properly sanitize or reject them, creating exploitable conditions that can be leveraged by remote attackers.
The technical implementation of this vulnerability involves two distinct attack vectors that demonstrate the server's weak handling of device name resolution. The first vector enables a denial of service attack through the "con" device name, which represents the console device in Windows systems. When an attacker submits an HTTP request containing this device name, the server attempts to process it as if it were a regular file path, causing the system to hang or crash due to the special nature of the console device. This particular attack vector aligns with CWE-20, which covers improper input validation, and can be categorized under the broader ATT&CK technique T1499.200 for network denial of service attacks. The second vector involves the "aux" device name, which allows attackers to obtain the physical path of the server through a two-request sequence. The auxiliary device name when processed by the vulnerable server reveals directory structures and file paths that should remain hidden from remote users, creating information disclosure vulnerabilities.
The operational impact of this vulnerability extends beyond simple service disruption to include serious information disclosure concerns that can compromise server security. The denial of service aspect can render the web server unavailable to legitimate users for extended periods, potentially causing business disruption and revenue loss. The information disclosure component is particularly concerning as it allows attackers to map the server's file system structure, which can serve as a foundation for more sophisticated attacks. Attackers can use the revealed physical paths to plan further exploitation attempts, including directory traversal attacks or attempts to access sensitive files that might be stored in predictable locations. This vulnerability demonstrates the importance of proper input sanitization and the dangers of relying on operating system-specific features without adequate security controls.
Mitigation strategies for CVE-2002-1052 should focus on implementing robust input validation and sanitization mechanisms that prevent device names from being processed as file paths. System administrators should update to newer versions of Jigsaw that properly handle these device names or implement proxy filters that intercept and block requests containing MS-DOS device names. The solution should incorporate proper request filtering at the application level, ensuring that any HTTP requests containing reserved device names are rejected before processing. Security configurations should include disabling access to system devices through the web server interface and implementing proper access controls that prevent the server from exposing internal file system structures. Organizations should also consider implementing network-level controls that filter out suspicious requests based on known patterns of device name usage. This vulnerability highlights the necessity of following security best practices such as those outlined in the OWASP Top Ten and emphasizes the importance of secure coding practices that prevent the exploitation of operating system features through web applications. The issue also demonstrates the relevance of the principle of least privilege and proper system hardening measures that reduce the attack surface available to potential attackers.