Re: double decode: to slash or not to slash.

[H D Moore <hdm () secureaustin com>]

On Wednesday 04 July 2001 06:43 am, Roelof wrote:
> Hi all.
>
> Strange thing with double decode problem on IIS. Refer:
> http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
>
> Most scanners (including the Nessus plugin) checks for the problem using
> the following string:
>
> /directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir

Woops, you are right.   I have noticed the same behavior in the field with 
both the nessus plugin and my unicoder.pl script.  Is it only the %255c 
sequence that you have seen with this problem ? Since %255c double-decodes to 
"/", the problem could be that IIS is only allowing directory transversal 
(via ..) when the target directory is double-encoded, so that final ../ needs 
to be ..%255c for it to go through.  

-HD