WebApp Sec mailing list archives
Re: Double Slashes
From: "Steven M. Christey" <coley () mitre org>
Date: Thu, 4 Aug 2005 17:01:18 -0400 (EDT)
Nearly every web server and/or major server package has been hit with double slash problems in the past, so it wouldn't surprise me if it is well-handled by most major products now. Of course, an application on top of the server could have similar problems, if it processes pathnames itself. You might want to check for validate-before-filter errors by injecting unusual characters in between the double slashes, like "/%00/" or "/%FF/" or any number of varieties. Software that tries to get rid of "//" might do this before clearing out bad characters, leading to a collapse after the filter into the "//". Mixed encodings might be successful too, e.g. "/%2e". And you might want to try the Windows drive letter e.g. "C:/abc/def" - Steve
Current thread:
- Double Slashes Andres Molinetti (Aug 04)
- <Possible follow-ups>
- RE: Double Slashes Jeff Robertson (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- RE: Double Slashes Andres Molinetti (Aug 04)
- RE: Double Slashes Jeff Robertson (Aug 04)
- RE: Double Slashes Andres Molinetti (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- Re: Double Slashes Steven M. Christey (Aug 04)
- RE: Double Slashes Kyle Quest (Aug 05)