Vulnerability Development: Re: special characters (HTTP)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: special characters (HTTP)

From: Peter Tonoli <anarchie () SUBURBIA NET>
Date: Sun, 20 Aug 2000 08:17:11 +1000

On Sun, 6 Aug 2000, Bluefish wrote:

I believe most mayor httpds (apache, IIS etc) has delt with this problem
long ago. However, some less wellknown httpd-softwares have had serious
problems with this (checking that URL doesn't contain ".." BEFORE
converting special characters)


Err, shouldn't this be *after* converting special chars? What if the
converted characters are '..' or similar - I seem to remember a
vulnerability involving this (can't remember what http server
however!). :)

Peter

By Date By Thread

Current thread:

special characters (HTTP) Ory Segal (Aug 03)
- Re: special characters (HTTP) Bluefish (Aug 06)
  - Re: special characters (HTTP) Peter Tonoli (Aug 07)
    - Re: special characters (HTTP) Mikael Olsson (Aug 08)
    - Re: special characters (HTTP) Iván Arce (Aug 09)
- <Possible follow-ups>
- Re: special characters (HTTP) netsec [davidv] (Aug 08)