WebApp Sec mailing list archives

RE: Double Slashes

From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Thu, 04 Aug 2005 15:56:13 +0000

I'm testing a client's application.
And it seems to do some operations based on the .asp URI received.

But it seems to need a "//", not just an "/" and IIS doesn't let it gothrough.

From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>

To: 'Andres Molinetti' <andymolinetti () hotmail com>, Auri () auri net,pen-test () securityfocus com

CC: webappsec () securityfocus com
Subject: RE: Double Slashes
Date: Thu, 4 Aug 2005 10:22:39 -0400

Might I ask why this application needs to use such URLs? I'm trying toguess

what purpose this could serve and coming up blank.

-----Original Message-----
From: Andres Molinetti [mailto:andymolinetti () hotmail com]
Sent: Thursday, August 04, 2005 10:21 AM
To: Auri () auri net; pen-test () securityfocus com; Jeff Robertson
Cc: webappsec () securityfocus com
Subject: RE: Double Slashes


This IIS has no URLScan running. That's the odd thing. Therefore I think it
may have been a patch or something.

What I need is a way that the server doesn't strip my slashes and let me
send an url like this "www.example.com/dir//page.asp".

Any ideas?

>From: "Auri Rahimzadeh" <Auri () auri net>
>Reply-To: <Auri () auri net>
>To: 'Andres Molinetti' <andymolinetti () hotmail com>,
><pen-test () securityfocus com>,    Jeff Robertson
><Jeff.Robertson () DigitalInsight com>
>CC: <webappsec () securityfocus com>
>Subject: RE: Double Slashes
>Date: Thu,  4 Aug 2005 08:58:11 -0500
>
>
>Look at URLScan and the IIS Locktown Utility. Just search for it at
>Microsoft's web site.
>
>Best,
>
>-Auri
>  Author
>  "Geek My Ride" (available at Amazon and most bookstores!)
>  www.GeekMyRide.net
>---------- Original Message ----------------------------------
>From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>
>Date:  Thu, 4 Aug 2005 09:45:11 -0400
>
> >This is very similar to what is being talked about wrt to Apache in
> >the thread of messaeges called "Heavy Security Issue" today. Maybe
> >IIS had something similar, and this is how they fixed it.
> >
> >-----Original Message-----
> >From: Andres Molinetti [mailto:andymolinetti () hotmail com]
> >Sent: Thursday, August 04, 2005 9:30 AM
> >To: pen-test () securityfocus com
> >Cc: webappsec () securityfocus com
> >Subject: Double Slashes
> >
> >
> >Is there anyway to encode a "//" in a GET request to an .ASP page in
> >IIS
>5.0
> >
> >(patched up2date)
> >
> >For example..
> >
> >GET /dir1//dir2.asp HTTP/1.0
> >
> >IIS seems to convert to a single slash the following ones: //
> >\\
> >/./
> >/../
> >///////// ...
> >
> >Not sure if it is some fix to old unicode and double enconding bugs.
> >
> >Regards,
> >
> >Andy
> >
> >_________________________________________________________________
> >¿Estás pensando en cambiar de coche? Todas los modelos de serie y
> >extras
>en
> >MSN Motor. http://motor.msn.es/researchcentre/
> >
>
>

_________________________________________________________________

Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSNAmor


& Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349


_________________________________________________________________

¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras enMSN Motor. http://motor.msn.es/researchcentre/

Current thread:

Double Slashes Andres Molinetti (Aug 04)
- <Possible follow-ups>
- RE: Double Slashes Jeff Robertson (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
  - RE: Double Slashes Andres Molinetti (Aug 04)
- RE: Double Slashes Jeff Robertson (Aug 04)
  - RE: Double Slashes Andres Molinetti (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- Re: Double Slashes Steven M. Christey (Aug 04)
- RE: Double Slashes Kyle Quest (Aug 05)