I posted this to bugtraq, but I'm not sure if it will be posted, so I will post here too... --- I recently viewed a web page on a server running IIS 4.0 and accidently appended a \ after the url. This to my suprise caused the page to download. This occured under Netscape 4.6 (IE5 appears to ignore the \). I was wondering if anyone else could confirm this behavior. It is not my server so I cannot do extensive testing on it, so I'm bringing it to the community. The file that downloaded was a .html file, however I am curious if appending a \ has the possibility of downloading .asp's or .cgi's. If that was true it would be a definite security hole. Email me hypoclearat_private or the list with any findings. hypoclear
This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 12:37:15 PDT