From: "Auri Rahimzadeh" <Auri () auri net>
Reply-To: <Auri () auri net>
To: 'Andres Molinetti' <andymolinetti () hotmail com>,
<pen-test () securityfocus com>, Jeff Robertson
<Jeff.Robertson () DigitalInsight com>
CC: <webappsec () securityfocus com>
Subject: RE: Double Slashes
Date: Thu, 4 Aug 2005 08:58:11 -0500
Look at URLScan and the IIS Locktown Utility. Just search for it at
Microsoft's web site.
Best,
-Auri
Author
"Geek My Ride" (available at Amazon and most bookstores!)
www.GeekMyRide.net
---------- Original Message ----------------------------------
From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>
Date: Thu, 4 Aug 2005 09:45:11 -0400
>This is very similar to what is being talked about wrt to Apache in the
>thread of messaeges called "Heavy Security Issue" today. Maybe IIS had
>something similar, and this is how they fixed it.
>
>-----Original Message-----
>From: Andres Molinetti [mailto:andymolinetti () hotmail com]
>Sent: Thursday, August 04, 2005 9:30 AM
>To: pen-test () securityfocus com
>Cc: webappsec () securityfocus com
>Subject: Double Slashes
>
>
>Is there anyway to encode a "//" in a GET request to an .ASP page in IIS
5.0
>
>(patched up2date)
>
>For example..
>
>GET /dir1//dir2.asp HTTP/1.0
>
>IIS seems to convert to a single slash the following ones:
>//
>\\
>/./
>/../
>///////// ...
>
>Not sure if it is some fix to old unicode and double enconding bugs.
>
>Regards,
>
>Andy
>
>_________________________________________________________________
>¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras
en
>MSN Motor. http://motor.msn.es/researchcentre/
>
Intro
