|
Vulnerability Development
mailing list archives
Re: special characters (HTTP)
From: Iván Arce <core.lists.exploit-dev () CORE-SDI COM>
Date: Tue, 8 Aug 2000 17:30:50 -0300
Mikael Olsson wrote:
Peter Tonoli wrote:
On Sun, 6 Aug 2000, Bluefish wrote:
I believe most mayor httpds (apache, IIS etc) has delt with this problem
long ago. However, some less wellknown httpd-softwares have had serious
problems with this (checking that URL doesn't contain ".." BEFORE
converting special characters)
Err, shouldn't this be *after* converting special chars? What if the
converted characters are '..' or similar - I seem to remember a
vulnerability involving this (can't remember what http server
however!). :)
Last week's advisory on NAI Net Tools PKI Server included one of these
as problem #2
--
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================
--- For a personal reply use iarce () core-sdi com
 By Date 
By Thread
Current thread:
|
Intro
