Re: IIS 5: strange problems handling certain file names
From: Russ (Russ.Cooper@RC.ON.CA)
Date: 04/07/03
- Previous message: Hall, Chadd: "Re: New attack vectors and a vulnerability dissection of MS03-007"
- Maybe in reply to: [SANG] Peter A. Sang: "IIS 5: strange problems handling certain file names"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Apr 2003 11:52:05 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
A number of people have replied, allow me to summarize and make some observations of my own;
1. Let me start by pointing out that Windows NT has always supported commas in a filename. This has been documented since Windows NT 3.1. DOS doesn't.
2. Henry Troup pointed out that RFC 1630 and 2396 do not place any restrictions on the use of commas in URIs. It is considered an "unreserved" character, and therefore valid.
3. Many people point to the fact that the IIS Metabase, which stores the information contained in the panel defining home page names, uses commas to delimit the different pages. It was suggested encoding the comma in that list as a way to get around the issues. I tried this in various forms but it never succeeded, each time the encoding was resolved to a comma, and treated as a separator (including by enclosing the entire document name with quotes.)
4. I did test to see whether or not IIS could handle a filename with a comma...it can. I created a page called "fred,russ.asp" and it could be called up no problems.
So, as Kevin Napier put it, "This precludes you from using it as a start page, error page and the like."
5. Some may have wondered why I allowed this to the list in the first place. I thought the combination of the effects a comma has on the Metabase coupled with the fact its an allowed character was interesting. I'd be curious if anyone has done any sort of vulnerability testing in this direction.
Cheers,
Russ - NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Prometric - More than testing, learning.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
http://www.prometric.com
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Hall, Chadd: "Re: New attack vectors and a vulnerability dissection of MS03-007"
- Maybe in reply to: [SANG] Peter A. Sang: "IIS 5: strange problems handling certain file names"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
