httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrian Herscu <>
Subject [users@httpd] Multiple dots in path vulnerability
Date Sun, 09 Jan 2005 12:09:03 GMT
Hi all,

I have an Web application that uses URLs which contain multiple 
dots, such as "/dir.ext1.ext2.extn/file.ext1.ext2.extm".

Microsoft distributes an automatic security hardening tool for 
their IIS, named IIS LockDown, and a part of the security 
hardening process includes installing a server module, named 
UrlScan, which filters out "dangerous" URLs according to a list 
of predefined patterns.

After applying their IIS LockDown, I discovered that multi-dots 
URLs are filtered out by the UrlScan module and that Web 
application no longer works.

Here is why Microsoft considers multi-dots URLs "dangerous":

I am interested to know if the vulnerabilities enumerated by the 
aforementioned thread apply to the Apache HTTP Server also.

Thanks for your time,

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message