Vulnerability Development mailing list archives
Re: IE bug (?)
From: Sardañons, Eliel <Eliel.Sardanons () PHILIPS EDU AR>
Date: Tue, 6 Feb 2001 09:34:20 -0300
Try to search in the microsoft search engine (http://www.microsoft.com/search) this: "%00+" + or something else ... then you will see a very strange behaviour.. I couldn't have time to try it.. but I think that if we request to IIS a string like this (GET /%00AAAAAAAAAAAAAAAA...(a lot of chars)...AAAAAAAAAAAAAAAAAAAAAAAAA/ HTTP/1.0) then we could find a DoS .. ... I will try and then I will tell you....
-----Mensaje original----- De: Ian.Kayne () Softlab co uk [SMTP:Ian.Kayne () Softlab co uk] Enviado el: Tuesday, February 06, 2001 6:39 AM Para: Eliel.Sardanons () PHILIPS EDU AR; VULN-DEV () SECURITYFOCUS COM Asunto: RE: IE bug (?) I've checked this out, and noticed the following things: 1. Inserting anything between the %00 and the +- makes no change 2. Inserting a "\" anywhere after the %00 automatically converts it to a "/", which is strange because using a "\" in place of a "/" in normal usage works fine, with no conversion (http://www.microsoft.com\windows\default.asp) 3. Regardless of the string used (eg: ..../%00+-/thisdoesntexist.htm), everything after the final "/" is replaced with the default domain page. However even when the "correct" url is appended, IE still sits in a loop. 4. You do not require the +- to create this fault: http://www.microsoft.com/%00/ms.htm produces the same result 5. "/" seems to delimit the %00 in some way - if it is not surrounded by "/" or "\"'s, the fault does not appear. 6. The fault only occurs when using a valid domain name on IIS. So IIS must have some hand in this - possibly the way it translates the bad url, returning another bad url to IE? Tested on IE5 Another Unicode problem? Strange behaviour at least... Ian Kayne Technical Specialist - IT Solutions Softlab Ltd - A BMW Company-----Original Message----- From: Sardañons, Eliel [mailto:Eliel.Sardanons () PHILIPS EDU AR] Sent: 05 February 2001 18:08 Subject: IE bug (?) http://www.farmaciastodas.com.ar/%00+-/ http://www.microsoft.com/%00+-/ "%00+-/" I have been trying to know the nature of this bug, but I coultdn't find anything ... I think (I'm sure) that this is a IE bug, but it doesn't work in all the http servers, I have seen that it only work in IIS and, only sometimes. If you can help me. Thanks. Eliel C. Sardañons******************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use of the information contained within this email or attachments is strictly prohibited. Internet communications are not secure and Softlab does not accept any legal responsibility for the content of this message. Any opinions expressed in the email are those of the individual and not necessarily those of the Company. If you have received this email in error, or if you are concerned with the content of this email please notify the IT helpdesk by telephone on +44 (0)121 788 5480. ********************************************************************
Current thread:
- IE bug (?) Sardañons , Eliel (Feb 05)
- Re: IE bug (?) syzop (Feb 06)
- <Possible follow-ups>
- Re: IE bug (?) Sardañons , Eliel (Feb 06)
- Re: IE bug (?) Ian Kayne (Feb 06)