|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: IIS 5: strange problems handling certain file names
From: Russ (Russ.Cooper
RC.ON.CA)
Date: Mon Apr 07 2003 - 10:52:05 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
A number of people have replied, allow me to summarize and make some observations of my own;
1. Let me start by pointing out that Windows NT has always supported commas in a filename. This has been documented since Windows NT 3.1. DOS doesn't.
2. Henry Troup pointed out that RFC 1630 and 2396 do not place any restrictions on the use of commas in URIs. It is considered an "unreserved" character, and therefore valid.
3. Many people point to the fact that the IIS Metabase, which stores the information contained in the panel defining home page names, uses commas to delimit the different pages. It was suggested encoding the comma in that list as a way to get around the issues. I tried this in various forms but it never succeeded, each time the encoding was resolved to a comma, and treated as a separator (including by enclosing the entire document name with quotes.)
4. I did test to see whether or not IIS could handle a filename with a comma...it can. I created a page called "fred,russ.asp" and it could be called up no problems.
So, as Kevin Napier put it, "This precludes you from using it as a start page, error page and the like."
5. Some may have wondered why I allowed this to the list in the first place. I thought the combination of the effects a comma has on the Metabase coupled with the fact its an allowed character was interesting. I'd be curious if anyone has done any sort of vulnerability testing in this direction.
Cheers,
Russ - NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Prometric - More than testing, learning.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
http://www.prometric.com
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]