|
HTTP URL contains /... |
|
|
|
| FAQ | |||
|
|
SummaryA URL containing "/..." was sent to the webserver. This is an attempt to steal files from Win9x-based webservers. An example would be the FrontPage98 webserver that allows URL's containing this string to access any file on the disk.
Details
On Windows 95 and Windows 98, the operating system accepts multiple dots to indicate directories. This is shown in the following table:
. this directory .. one directory up ... two directories up .... three directories up This behavior is derived from UNIX and Windows NT, which have always supported the "." and ".." styles of directories. Win9x introduced the convention of simply adding more dots. Thus, whereas in Windows NT you must specify "../.." in order to go up two directories, in Windows 95 you only need to specify "...".
Since most web servers are derived from Windows NT or UNIX sources, they usually handle the case with "../.." in a URL and double-check the accuracy of the URL (though not always, see intrusion 2000609). However, most web services for Win9x do not correctly filter out the "..." variant, including many versions of Microsoft's own Personal Web Server (PWS) and FrontPage.
Defense
This indicates an attempt only. The parameters indicate the file (URL) that was attempted, and the return code indicating if the attempt was successful (code=200) or not.
False Positives
Examine the value of the URL parameter should be examined to see if it is suspicious.
| more information |
|
| ||||||||||
Version appeared: 1.9