|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Directory names with dots
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: Directory names with dots
- From: Dave Watts <dwattsFIGLEAF.COM>
- Date: Thu, 27 Aug 1998 10:52:00 -0400
- Reply-To: Dave Watts <dwattsFIGLEAF.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
> Actually that's not what's happening. IIS first "nets out" any ..(.) > characters with the path section(s) preceding them, then it simply looks > left-to-right down the URL looking for an extension that indicates an > executable (AFAIK this is just .exe or .com) or a script engine (as listed > in the metabase). The *first* one it finds determines what it thinks you > want to invoke, and this is *not* necessarily the ultimate file extension. > It's not looking at the physical directory structure (unless you > checked the > "Check that file exists" box in the extension mapping, and even > then it only > checks the total path string and not the individual sections). > *Following* > all this, it maps virtual paths to real paths. ... >> Nice try, but it is a bug. IIS _has_ to determine whether each portion is >> referring to a directory or some kind of executable or script. This is standard behavior across web servers, and is not limited to the Windows NT platform as far as I can tell. This performs a useful purpose, allowing a server-side script to execute, but prompt the browser to believe that the name of the file is the last portion of the URL string. For example, if I want to cause the browser to prompt the user to save a file to their machine, I can write a script to generate the file, send a header to specify a non-HTML content type, then specify another name for the file to be saved as. In the URL below, the server will process getstuff.asp, and the browser will receive the output as myfile.rtf: www.myserver.com/getstuff.cfm/myfile.rtf?ID=32 This is useful for generating non-HTML output, and as I mentioned it appears to be standard web server behavior, not a bug in IIS. To view this behavior, go to the following URL: http://conference.perl.com/cgi-bin/pace/reg.pl/ and view that page. Then, append the name of an HTML file and load that: http://conference.perl.com/cgi-bin/pace/reg.pl/myfile.html This will execute reg.pl, but if you view the file information or save the file from within the browser, it will use the name myfile.html. This server is running Apache 1.2.6, and I'm willing to bet it's not on NT. Dave Watts, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5494
- Prev by Date: "NERP" DoS attack possible in Oracle
- Next by Date: Re: MS Security Bulletin MS98-012, security updates for Microsoft PPT P
- Prev by thread: Re: Directory names with dots
- Next by thread: Re: Directory names with dots
- Index(es):