Vulnerability Development mailing list archives
Re: special characters (HTTP)
From: "netsec [davidv]" <netsec () GFI COM>
Date: Tue, 8 Aug 2000 10:24:20 +0200
Yes rfp posted some details on the ntsecurity list howerver i dotn want to post the whole text here cause of copyrite stuff.\ the subject of the post was: More info on MS99-061 (IIS escape character vulnerability) date: Thu 12/30/99 4:39 AM
-----Original Message----- From: Peter Tonoli [mailto:anarchie () SUBURBIA NET] Sent: Sunday, August 20, 2000 12:17 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: special characters (HTTP) On Sun, 6 Aug 2000, Bluefish wrote:I believe most mayor httpds (apache, IIS etc) has delt withthis problemlong ago. However, some less wellknown httpd-softwares havehad seriousproblems with this (checking that URL doesn't contain ".." BEFORE converting special characters)Err, shouldn't this be *after* converting special chars? What if the converted characters are '..' or similar - I seem to remember a vulnerability involving this (can't remember what http server however!). :) Peter
GFI - Security & communications products for Windows NT/2000 http://www.gfi.com ********************************************************** This mail was content checked for malicious code or viruses by Mail essentials. Mail essentials for Exchange/SMTP is an email security, content checking & anti-virus gateway that removes all types of email-borne threats before they can affect your email users. Spam, viruses, dangerous attachments & offensive content can be removed before they reach your mail server. In addition it has server-based email encryption, disclaimers and other email features. *********************************************************** In addition to Mail essentials, GFI also produces the FAXmaker fax server product range & LANguard internet access control & intrusion detection. For more information on our products please visit http://www.gfi.com
Current thread:
- special characters (HTTP) Ory Segal (Aug 03)
- Re: special characters (HTTP) Bluefish (Aug 06)
- Re: special characters (HTTP) Peter Tonoli (Aug 07)
- Re: special characters (HTTP) Mikael Olsson (Aug 08)
- Re: special characters (HTTP) Iván Arce (Aug 09)
- Re: special characters (HTTP) Peter Tonoli (Aug 07)
- Re: special characters (HTTP) Bluefish (Aug 06)
- <Possible follow-ups>
- Re: special characters (HTTP) netsec [davidv] (Aug 08)