WebApp Sec mailing list archives
RE: Double Slashes
From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Thu, 04 Aug 2005 15:56:13 +0000
I'm testing a client's application. And it seems to do some operations based on the .asp URI received.But it seems to need a "//", not just an "/" and IIS doesn't let it go through.
From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>To: 'Andres Molinetti' <andymolinetti () hotmail com>, Auri () auri net, pen-test () securityfocus comCC: webappsec () securityfocus com Subject: RE: Double Slashes Date: Thu, 4 Aug 2005 10:22:39 -0400Might I ask why this application needs to use such URLs? I'm trying to guesswhat purpose this could serve and coming up blank. -----Original Message----- From: Andres Molinetti [mailto:andymolinetti () hotmail com] Sent: Thursday, August 04, 2005 10:21 AM To: Auri () auri net; pen-test () securityfocus com; Jeff Robertson Cc: webappsec () securityfocus com Subject: RE: Double Slashes This IIS has no URLScan running. That's the odd thing. Therefore I think it may have been a patch or something. What I need is a way that the server doesn't strip my slashes and let me send an url like this "www.example.com/dir//page.asp". Any ideas? >From: "Auri Rahimzadeh" <Auri () auri net> >Reply-To: <Auri () auri net> >To: 'Andres Molinetti' <andymolinetti () hotmail com>, ><pen-test () securityfocus com>, Jeff Robertson ><Jeff.Robertson () DigitalInsight com> >CC: <webappsec () securityfocus com> >Subject: RE: Double Slashes >Date: Thu, 4 Aug 2005 08:58:11 -0500 > > >Look at URLScan and the IIS Locktown Utility. Just search for it at >Microsoft's web site. > >Best, > >-Auri > Author > "Geek My Ride" (available at Amazon and most bookstores!) > www.GeekMyRide.net >---------- Original Message ---------------------------------- >From: Jeff Robertson <Jeff.Robertson () DigitalInsight com> >Date: Thu, 4 Aug 2005 09:45:11 -0400 > > >This is very similar to what is being talked about wrt to Apache in > >the thread of messaeges called "Heavy Security Issue" today. Maybe > >IIS had something similar, and this is how they fixed it. > > > >-----Original Message----- > >From: Andres Molinetti [mailto:andymolinetti () hotmail com] > >Sent: Thursday, August 04, 2005 9:30 AM > >To: pen-test () securityfocus com > >Cc: webappsec () securityfocus com > >Subject: Double Slashes > > > > > >Is there anyway to encode a "//" in a GET request to an .ASP page in > >IIS >5.0 > > > >(patched up2date) > > > >For example.. > > > >GET /dir1//dir2.asp HTTP/1.0 > > > >IIS seems to convert to a single slash the following ones: // > >\\ > >/./ > >/../ > >///////// ... > > > >Not sure if it is some fix to old unicode and double enconding bugs. > > > >Regards, > > > >Andy > > > >_________________________________________________________________ > >¿Estás pensando en cambiar de coche? Todas los modelos de serie y > >extras >en > >MSN Motor. http://motor.msn.es/researchcentre/ > > > > _________________________________________________________________Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor& Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349
_________________________________________________________________¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras en MSN Motor. http://motor.msn.es/researchcentre/
Current thread:
- Double Slashes Andres Molinetti (Aug 04)
- <Possible follow-ups>
- RE: Double Slashes Jeff Robertson (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- RE: Double Slashes Andres Molinetti (Aug 04)
- RE: Double Slashes Jeff Robertson (Aug 04)
- RE: Double Slashes Andres Molinetti (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- Re: Double Slashes Steven M. Christey (Aug 04)
- RE: Double Slashes Kyle Quest (Aug 05)