Skip navigation
Menu
Security

IIS Escape Char Parsing - 31 Oct 1999

 
IIS Escape Char Parsing
Reported December 22, 1999 by ACROS Security Team

VERSIONS AFFECTED
Internet Information Server 4.0
  • Site Server 3.0
  • Site Server Commerce 3.0

    DESCRIPTION

    According to Microsoft"s bulletin, "RFC 1738 specifies that web servers must allow hexadecimal digits to be input in URLs by preceding them with the so-called "escape" character, a percent sign. IIS complies with this specification, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.

    The vulnerability does not affect IIS; even specifying a file name via this alternate method does not bypass IIS" access controls. However, third-party software that runs atop IIS but does not perform canonicalization is affected by it.

    VENDOR RESPONSE

    Microsoft released a FAQ, Support Online articles Q246401, as well as patches for Intel and Alpha that correct the issue.

    CREDITS
    Discovered by     ACROS Security Team

    • Hide comments

    More information about text formats

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish
    Recommended Reading
    DevSecOps concept
    90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
    Apr 20, 2024
    Businesswoman challenges concept and gender obstacles
    Women in Cybersecurity Face Barriers to Hiring, Advancement
    Apr 15, 2024
    person typing on keyboard with icons for certificates
    Top IT Certifications for a Career in Finance
    Apr 12, 2024
    employee working on a laptop with AI
    Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
    Mar 26, 2024