> What does this allow you to bypass? My guess is anything that plays or > needs the raw filename or request. ISAPI filters and extension handlers > come to mind. Who, what, where, and how are application specific. One category of systems that are vulnerable to this are 3rd party authentications modules that do, for example radius authentication. One system that I've checked uses a special directory, lets call it /authRoot where the administrators can store customized login pages, graphics and so on. So, by neccessity, it allows unauthenticated access to this directory. Unfortunately the ISS bugg allows one to "break out" of this direcotry by appending %1u%1u (".." in other words). So, to access default.asp we could would enter the url... http://server/authRoot/%1u%1u/default.asp And, ooops, unauthenticate access...
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:32 PDT