Vulnerability Development mailing list archives
Re: special characters (HTTP)
From: Peter Tonoli <anarchie () SUBURBIA NET>
Date: Sun, 20 Aug 2000 08:17:11 +1000
On Sun, 6 Aug 2000, Bluefish wrote:
I believe most mayor httpds (apache, IIS etc) has delt with this problem long ago. However, some less wellknown httpd-softwares have had serious problems with this (checking that URL doesn't contain ".." BEFORE converting special characters)
Err, shouldn't this be *after* converting special chars? What if the converted characters are '..' or similar - I seem to remember a vulnerability involving this (can't remember what http server however!). :) Peter
Current thread:
- special characters (HTTP) Ory Segal (Aug 03)
- Re: special characters (HTTP) Bluefish (Aug 06)
- Re: special characters (HTTP) Peter Tonoli (Aug 07)
- Re: special characters (HTTP) Mikael Olsson (Aug 08)
- Re: special characters (HTTP) Iván Arce (Aug 09)
- Re: special characters (HTTP) Peter Tonoli (Aug 07)
- Re: special characters (HTTP) Bluefish (Aug 06)
- <Possible follow-ups>
- Re: special characters (HTTP) netsec [davidv] (Aug 08)