Vulnerability Development mailing list archives
Re: special characters (HTTP)
From: Mikael Olsson <mikael.olsson () ENTERNET SE>
Date: Tue, 8 Aug 2000 14:02:18 +0200
Peter Tonoli wrote:
On Sun, 6 Aug 2000, Bluefish wrote:I believe most mayor httpds (apache, IIS etc) has delt with this problem long ago. However, some less wellknown httpd-softwares have had serious problems with this (checking that URL doesn't contain ".." BEFORE converting special characters)Err, shouldn't this be *after* converting special chars? What if the converted characters are '..' or similar - I seem to remember a vulnerability involving this (can't remember what http server however!). :)
I'd say you're talking about the same thing: Bluefish was saying that httpds have problems because they're checking for "/.." before converting. You're saying that checks should be done after converting. Voila! :) Our alltime vulnerability favorite web server IIS has had problems like these. Lesson: FIRST convert, THEN check. (Just as you said). -- Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-66 77 636 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- special characters (HTTP) Ory Segal (Aug 03)
- Re: special characters (HTTP) Bluefish (Aug 06)
- Re: special characters (HTTP) Peter Tonoli (Aug 07)
- Re: special characters (HTTP) Mikael Olsson (Aug 08)
- Re: special characters (HTTP) Iván Arce (Aug 09)
- Re: special characters (HTTP) Peter Tonoli (Aug 07)
- Re: special characters (HTTP) Bluefish (Aug 06)
- <Possible follow-ups>
- Re: special characters (HTTP) netsec [davidv] (Aug 08)