httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrian Herscu <bmf1...@axentra.net>
Subject [users@httpd] Multiple dots in path vulnerability
Date Sun, 09 Jan 2005 12:09:03 GMT
Hi all,

I have an Web application that uses URLs which contain multiple 
dots, such as "/dir.ext1.ext2.extn/file.ext1.ext2.extm".

Microsoft distributes an automatic security hardening tool for 
their IIS, named IIS LockDown, and a part of the security 
hardening process includes installing a server module, named 
UrlScan, which filters out "dangerous" URLs according to a list 
of predefined patterns.

After applying their IIS LockDown, I discovered that multi-dots 
URLs are filtered out by the UrlScan module and that Web 
application no longer works.

Here is why Microsoft considers multi-dots URLs "dangerous":
http://groups-beta.google.com/group/microsoft.public.inetserver.iis.security/browse_thread/thread/c1652ae38f5190a5/525ce7ca7322dc83?q=wadeh+allowdotinpath&_done=%2Fgroups%3Fq%3Dwadeh+allowdotinpath%26hl%3Den%26btnG%3DGoogle+Search%26&_doneTitle=Back+to+Search&&d#525ce7ca7322dc83

I am interested to know if the vulnerabilities enumerated by the 
aforementioned thread apply to the Apache HTTP Server also.

Thanks for your time,
Adrian.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message