Vulnerability Development mailing list archives
IIS Request.QueryString function improperly parses URL escape seq uences, revealing server variables
From: Scott.Miller () VANDENBERG AF MIL (Miller Scott Contr 30CS/FTI)
Date: Wed, 17 May 2000 07:34:53 -0700
I first encountered this problem about two years ago, and submitted a bug report to Microsoft, with no response. I'm not entirely sure of the security implications of the bug - I haven't been able to accomplish anything significant with it, but if the same flaw exists elsewhere it might be of interest. The problem: When passed a URL query string ending in %, the Request.QueryString function apparently attempts to decode the string terminator as part of the escape sequence, and then continues reading past the end of the string. In my tests, the next thing it comes across appears to be the APPL_MD_PATH server variable. This only affects values from the QueryString() collection, and not the raw QueryString itself. If the contents of the value are passed back to the user, the APPL_MD_PATH variable is revealed. An Example: Submitted query string: /detail.asp?op=w123% Code: <% OpNum = Request.QueryString("op") %> ... <TITLE>Detail for Op #<% = OpNum %></TITLE> Displayed page title: Detail for Op #W123?LM/W3SVC/1/ROOT As I said, I submitted this to Microsoft about two years ago, and it still seems to be a problem in service pack 6a. My workaround has been to check the QueryString value for a trailing % and terminate script execution if found. While it doesn't appear to be a serious issue, it would seem to indicate some sloppy and potentially dangerous code. Scott Miller Frontier Technology, Inc Vandenberg AFB Network Control Center (805) 606-2046 / DSN 276-2046
Current thread:
- IIS Request.QueryString function improperly parses URL escape seq uences, revealing server variables Miller Scott Contr 30CS/FTI (May 17)