Re: special characters (HTTP)

["netsec [davidv]" <netsec () GFI COM>]

Yes rfp posted some details on the ntsecurity list howerver i dotn want
to post the whole text here cause of copyrite stuff.\

the subject of the post was: More info on MS99-061 (IIS escape character
vulnerability)
date: Thu 12/30/99 4:39 AM

> -----Original Message-----
> From: Peter Tonoli [mailto:anarchie () SUBURBIA NET]
> Sent: Sunday, August 20, 2000 12:17 AM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: special characters (HTTP)
>
>
> On Sun, 6 Aug 2000, Bluefish wrote:
>
> > I believe most mayor httpds (apache, IIS etc) has delt with
> this problem
> > long ago. However, some less wellknown httpd-softwares have
> had serious
> > problems with this (checking that URL doesn't contain ".." BEFORE
> > converting special characters)
>
> Err, shouldn't this be *after* converting special chars? What if the
> converted characters are '..' or similar - I seem to remember a
> vulnerability involving this (can't remember what http server
> however!). :)
>
> Peter



GFI - Security & communications products for Windows NT/2000
http://www.gfi.com

**********************************************************
This mail was content checked for malicious code or viruses
by Mail essentials. Mail essentials for Exchange/SMTP is an
email security, content checking & anti-virus gateway that
removes all types of email-borne threats before they can affect
your email users. Spam, viruses, dangerous attachments & offensive
content can be removed before they reach your mail server.
In addition it has server-based email encryption, disclaimers
and other email features.
***********************************************************

In addition to Mail essentials, GFI also produces the FAXmaker
fax server product range & LANguard internet access control &
intrusion detection. For more information on our products please
visit http://www.gfi.com