Vulnerability Development mailing list archives
Unusal response from IIS with some file names
From: "Woch, Wojciech" <Woch_W () ADMIRAL FR>
Date: Mon, 12 Mar 2001 18:43:15 +0100
Hello, IIS v4.0 seems to give an usual response when non-existing files ending with one of the following sequences of characters are requested: :~n |~n ~n: ~n| where "n" stands for a number between 0-9 (ex: GET /file:~1). Instead of the regular 404, we get HTTP/1.1 500 Server Error Server: Microsoft-IIS/4.0 Date: Mon, 12 Mar 2001 17:08:27 GMT Content-Type: text/html Content-Length: 126 <html><head><title>Error</title></head><body>The filename, directory name, or volume label syntax is incorrect. </body></html> The text corresponds to the WIN32 status code #123, that can be seen under sc-win32-status in the log files, as if the message was received directly from the OS. Normally, special characters that induce a WIN32 status of 123 are show in the log, but a 404 is still returned instead of the effective error message from the OS (ex: GET /file||1). This behaviour seems to be introduced by MS00-30 (at least it shows up after installing IIS with defaults + MS00-30 on NT 4.0). Trying to pipe commands directly following the file name with regular shell escapes (&|) or overflowing (returns to a 404 after about 278 characters) doesn't give up much, maybe someone can push it a little further/has an idea about the issue?
Current thread:
- Unusal response from IIS with some file names Woch, Wojciech (Mar 12)
- Re: Unusal response from IIS with some file names Kevin van Haaren (Mar 13)
- Re: Unusal response from IIS with some file names ProvenSecurity News List (Mar 13)
- <Possible follow-ups>
- Re: Unusal response from IIS with some file names Rob Wilson (Mar 14)