I have tested this on patched and unpatched IIS 4 & 5 servers and have found some strange results also. Several recently patched IIS5 servers that I tested are not vulnerable to the Unicode bug (as would be expected), but are vulnerable to this one. Similarly with patched IIS4 servers I have tried. However, I have tried one patched IIS4 server that proved not to be vulnerable - the difference... none. Apart from the fact that the invulnerable server was the only one I actually, physically, patched myself. But I can't remember what I did that would make a difference. This is why, for all installations, I now put all executable directories on a separate drive and rename the command interpreter. Cheers Matt -----Original Message----- From: neme-dhcat_private [mailto:neme-dhcat_private] Sent: 16 May 2001 00:16 To: bugtraqat_private Subject: About the new IIS %252c bug. Hi, I spotted the same behaviour on my win2k + IIS 5.0 installation. When I installed the unicode patch this problem disappeared. Hence why I did not publish this. Maybe other people can reproduce this as well? another one that works is %252f. %255c and %252f (slash and backslash) worked before I applied the patch and ceased working afterwards. %255c and %252f are NOT unicode codes but hex codes. I find it strange that the unicode patch fixed this. IIS4.0 installations without the unicode patch were not vulnerable when I tried. greetz, nemesystm
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 14:18:39 PDT