IIS Escape Char Parsing Reported December 22, 1999 by ACROS Security Team According to Microsoft"s bulletin, "RFC 1738 specifies that web
servers must allow hexadecimal digits to be input in URLs by preceding them with the
so-called "escape" character, a percent sign. IIS complies with this
specification, but also accepts characters after the percent sign that are not hexadecimal
digits. Some of these translate to printable ASCII characters, and this could provide an
alternate means of specifying files in URLs.
VENDOR RESPONSE
Microsoft released a FAQ, Support Online articles Q246401, as well as patches for Intel and Alpha that correct the issue.
Discovered by ACROS Security Team |
IIS Escape Char Parsing - 31 Oct 1999
0 comments
Hide comments