Computer Security - anyone heard of /escape vulnerability ?

08-13-2003, 09:23 AM

Hi !

We recently had a network audit conducted on our network and I could
access the oral report. Unfortunately, the contact dit not seem to know
much about what was being told so...

As the subject says, what is a "slash escape" vulnerabiltiy ? The audit
was made on a IIS server. Googel searches are quite complex with such
term as I have to find a "/escape" pattern... = (

..antoine

.Saphyr

08-13-2003, 05:57 PM

..Saphyr <> randomly produced:

:: Hi !
::
:: We recently had a network audit conducted on our network and I could
:: access the oral report. Unfortunately, the contact dit not seem to
:: know much about what was being told so...
::
:: As the subject says, what is a "slash escape" vulnerabiltiy ? The
:: audit was made on a IIS server. Googel searches are quite complex
:: with such term as I have to find a "/escape" pattern... = (
::
:: .antoine

I think you are possibly talking about breaking out of the root directory?

This is how most of the old web based exploits worked

e.g. on a Linux machine:

www.yourdomain.com/../../etc/passwd

or on Windows:

www.yourdomain.com/../../../WINNT/repair/sam

etc

Google a little on such things (Unicode exploits also work in a similar
fashion).

ST

--

..: http://www.security-forums.com :.

Share your knowledge
It's a way to achieve
Immortality.

Lord Shaolin

08-13-2003, 05:57 PM	#2
Lord Shaolin Posts: n/a	Re: anyone heard of /escape vulnerability ? ..Saphyr <> randomly produced: :: Hi ! :: :: We recently had a network audit conducted on our network and I could :: access the oral report. Unfortunately, the contact dit not seem to :: know much about what was being told so... :: :: As the subject says, what is a "slash escape" vulnerabiltiy ? The :: audit was made on a IIS server. Googel searches are quite complex :: with such term as I have to find a "/escape" pattern... = ( :: :: .antoine I think you are possibly talking about breaking out of the root directory? This is how most of the old web based exploits worked e.g. on a Linux machine: www.yourdomain.com/../../etc/passwd or on Windows: www.yourdomain.com/../../../WINNT/repair/sam etc Google a little on such things (Unicode exploits also work in a similar fashion). ST -- ..: http://www.security-forums.com :. Share your knowledge It's a way to achieve Immortality. Lord Shaolin

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Computer Security	aldrich.chappel.com.use@gmail.com	A+ Certification	0	11-27-2007 02:11 AM
has anybody heard from jefhew@rogers.com???????	the seeker	A+ Certification	0	02-10-2004 10:47 PM
Excalibur - anyone heard anything?	Phatty Boombatty	DVD Video	11	02-10-2004 05:49 AM
Lord of the what ? Never heard of it.	Peter	DVD Video	17	12-22-2003 04:06 AM
Re: Does anyone ever heard about quality assurance in helpdesks?	Pikoro	A+ Certification	2	07-16-2003 03:24 AM

08-13-2003, 09:23 AM	#1
	anyone heard of /escape vulnerability ? Hi ! We recently had a network audit conducted on our network and I could access the oral report. Unfortunately, the contact dit not seem to know much about what was being told so... As the subject says, what is a "slash escape" vulnerabiltiy ? The audit was made on a IIS server. Googel searches are quite complex with such term as I have to find a "/escape" pattern... = ( ..antoine .Saphyr