Vulnerability Development mailing list archives

Re: IE bug (?)

From: syzop <syz () DDS NL>
Date: Tue, 6 Feb 2001 18:39:56 +0100

First of all, I get the same 'result' with %00/ too,
I have been sniffing to see what the difference is between (for example)
www.chatcity.nl and www.chatcity.nl/%00/, first one gives me a normal page,
the %00/ one gives me a blanc page with <HTML></HTML> in the source.
Here's the dump:
-- http://www.chatcity.nl/ (S=Send, R=Received): --
S> GET / HTTP/1.1
S> Accept: application/msword, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
S> Accept-Language: nl
S> Accept-Encoding: gzip, deflate
S> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; BCD2000)
S> Host: www.chatcity.nl
S> Connection: Keep-Alive
S> Cookie: ASPSESSIONIDQGGGQQEL=IFPCEBBAAFIAPHNPPOMPDPGP
S>
R> HTTP/1.1 200 OK
R> Server: Microsoft-IIS/4.0
R> Content-Location: http://www.chatcity.nl/Default.htm
R> Date: Tue, 06 Feb 2001 17:15:58 GMT
R> Content-Type: text/html
R> Accept-Ranges: bytes
R> Last-Modified: Fri, 17 Nov 2000 14:21:22 GMT
R> ETag: "05de6a8a150c01:17b4"
R> Content-Length: 822
R>
R> <html>
R> <head><title>Chatcity - Gezellig chatten</title>
etc...

-- http://www.chatcity.nl/%00/ (S=Send, R=Received): --
S> GET /%00/ HTTP/1.1
S> Accept: */*
S> Accept-Language: nl
S> Accept-Encoding: gzip, deflate
S> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98; BCD2000)
S> Host: www.chatcity.nl
S> Connection: Keep-Alive
S> Cookie: ASPSESSIONIDQGGGQQEL=IFPCEBBAAFIAPHNPPOMPDPGP
S>
R> HTTP/1.1 200 OK
R> Server: Microsoft-IIS/4.0
R> Content-Location: http://www.chatcity.nl/Default.htm
R> Date: Tue, 06 Feb 2001 17:30:49 GMT
R> Content-Type: text/html
R> Accept-Ranges: bytes
R> Last-Modified: Fri, 17 Nov 2000 14:21:22 GMT
R> ETag: "05de6a8a150c01:17b4"
R> Content-Length: 822
R>
R> <html>
R> <head><title>Chatcity - Gezellig chatten</title>
etc..

I don't see any difference (ok, apart from the date) in the headers&data the server returns,
strange... guess it's indeed a browser bug or so...
I got the same results on both netscape and iexplore, but with lynx I just get the normal
page even with the %00/ or %00+-/.

I guess the IIS servers just return a normal page when you add %00/, and the other servers
(or at least some/most of them) give an error.

Cya

    Syz.

Sardañons, Eliel wrote:

http://www.farmaciastodas.com.ar/%00+-/
http://www.microsoft.com/%00+-/

"%00+-/" I have been trying to know the nature of this bug, but I coultdn't
find anything ... I think (I'm sure) that this is a IE bug, but it doesn't
work in all the http servers, I have seen that it only work in IIS and, only
sometimes.

If you can help me. Thanks.

Eliel C. Sardañons

Current thread:

IE bug (?) Sardañons , Eliel (Feb 05)
- Re: IE bug (?) syzop (Feb 06)
- <Possible follow-ups>
- Re: IE bug (?) Sardañons , Eliel (Feb 06)
- Re: IE bug (?) Ian Kayne (Feb 06)