Vulnerability Development mailing list archives
Re: double decode: to slash or not to slash.
From: H D Moore <hdm () secureaustin com>
Date: Wed, 4 Jul 2001 16:00:14 -0500
On Wednesday 04 July 2001 06:43 am, Roelof wrote:
Hi all. Strange thing with double decode problem on IIS. Refer: http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Most scanners (including the Nessus plugin) checks for the problem using the following string: /directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir
Woops, you are right. I have noticed the same behavior in the field with both the nessus plugin and my unicoder.pl script. Is it only the %255c sequence that you have seen with this problem ? Since %255c double-decodes to "/", the problem could be that IIS is only allowing directory transversal (via ..) when the target directory is double-encoded, so that final ../ needs to be ..%255c for it to go through. -HD
Current thread:
- double decode: to slash or not to slash. Roelof (Jul 04)
- Re: double decode: to slash or not to slash. H D Moore (Jul 04)
- Re: double decode: to slash or not to slash. warning3 (Jul 04)