IIS Request.QueryString function improperly parses URL escape seq uences, revealing server variables

[Scott.Miller () VANDENBERG AF MIL (Miller Scott Contr 30CS/FTI)]

I first encountered this problem about two years ago, and submitted a bug
report to Microsoft, with no response.  I'm not entirely sure of the
security implications of the bug - I haven't been able to accomplish
anything significant with it, but if the same flaw exists elsewhere it might
be of interest.

The problem:

When passed a URL query string ending in %, the Request.QueryString function
apparently attempts to decode the string terminator as part of the escape
sequence, and then continues reading past the end of the string.  In my
tests, the next thing it comes across appears to be the APPL_MD_PATH server
variable.  This only affects values from the QueryString() collection, and
not the raw QueryString itself.  If the contents of the value are passed
back to the user, the APPL_MD_PATH variable is revealed.

An Example:

Submitted query string: /detail.asp?op=w123%

Code:

<% OpNum = Request.QueryString("op") %>
...
<TITLE>Detail for Op #<% = OpNum %></TITLE>

Displayed page title: Detail for Op #W123?LM/W3SVC/1/ROOT

As I said, I submitted this to Microsoft about two years ago, and it still
seems to be a problem in service pack 6a.  My workaround has been to check
the QueryString value for a trailing % and terminate script execution if
found.  While it doesn't appear to be a serious issue, it would seem to
indicate some sloppy and potentially dangerous code.

Scott Miller
Frontier Technology, Inc
Vandenberg AFB Network Control Center
(805) 606-2046 / DSN 276-2046