On Wednesday 04 July 2001 06:43 am, Roelof wrote: > Hi all. > > Strange thing with double decode problem on IIS. Refer: > http://www.microsoft.com/technet/security/bulletin/MS01-026.asp > > Most scanners (including the Nessus plugin) checks for the problem using > the following string: > > /directory/..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir Woops, you are right. I have noticed the same behavior in the field with both the nessus plugin and my unicoder.pl script. Is it only the %255c sequence that you have seen with this problem ? Since %255c double-decodes to "/", the problem could be that IIS is only allowing directory transversal (via ..) when the target directory is double-encoded, so that final ../ needs to be ..%255c for it to go through. -HD
This archive was generated by hypermail 2b30 : Wed Jul 04 2001 - 17:26:47 PDT