|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: special characters (HTTP)
From: netsec [davidv] (netsec
GFI.COM)Date: Tue Aug 08 2000 - 03:24:20 CDT
- Next message: Michal Zalewski: "Re: Some work needed"
- Previous message: Rob Perry: "ZoneAlarm weirdness"
- Maybe in reply to: Ory Segal: "special characters (HTTP)"
- Maybe reply: netsec [davidv]: "Re: special characters (HTTP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yes rfp posted some details on the ntsecurity list howerver i dotn want
to post the whole text here cause of copyrite stuff.\
the subject of the post was: More info on MS99-061 (IIS escape character
vulnerability)
date: Thu 12/30/99 4:39 AM
> -----Original Message-----
> From: Peter Tonoli [mailto:anarchieSUBURBIA.NET]
> Sent: Sunday, August 20, 2000 12:17 AM
> To: VULN-DEVSECURITYFOCUS.COM
> Subject: Re: special characters (HTTP)
>
>
> On Sun, 6 Aug 2000, Bluefish wrote:
>
> > I believe most mayor httpds (apache, IIS etc) has delt with
> this problem
> > long ago. However, some less wellknown httpd-softwares have
> had serious
> > problems with this (checking that URL doesn't contain ".." BEFORE
> > converting special characters)
>
> Err, shouldn't this be *after* converting special chars? What if the
> converted characters are '..' or similar - I seem to remember a
> vulnerability involving this (can't remember what http server
> however!). :)
>
> Peter
>
GFI - Security & communications products for Windows NT/2000
http://www.gfi.com
**********************************************************
This mail was content checked for malicious code or viruses
by Mail essentials. Mail essentials for Exchange/SMTP is an
email security, content checking & anti-virus gateway that
removes all types of email-borne threats before they can affect
your email users. Spam, viruses, dangerous attachments & offensive
content can be removed before they reach your mail server.
In addition it has server-based email encryption, disclaimers
and other email features.
***********************************************************
In addition to Mail essentials, GFI also produces the FAXmaker
fax server product range & LANguard internet access control &
intrusion detection. For more information on our products please
visit http://www.gfi.com
- Next message: Michal Zalewski: "Re: Some work needed"
- Previous message: Rob Perry: "ZoneAlarm weirdness"
- Maybe in reply to: Ory Segal: "special characters (HTTP)"
- Maybe reply: netsec [davidv]: "Re: special characters (HTTP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]