IIS May Improperly Parse Specific Escape Characters

ID: Q246401

The information in this article applies to:
  • Microsoft Internet Information Server version 4.0
  • Microsoft Site Server version 3.0
  • Microsoft Windows NT Server versions 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6

SYMPTOMS

RFC 1738 specifies that Web Servers should allow hexadecimal digits to be input in URLs by preceding them with the so-called "escape" character, a percent sign.

Microsoft Internet Information Server (IIS) complies with the RFC 1738 specification, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.

It is possible when using the Internet Database Connector (IDC) to create links, or you are using the return value arguments passed to other documents. When this happens you may be unable to pass arguments that contain spaces.

IIS 4.0 may improperly translate non-hexadecimal characters preceded by a percent sign. For example %3p is translated into an \\\"I\\\".

The vulnerability does not affect IIS; even specifying a file name through this alternate method does not bypass IIS access controls. However, third-party software that runs atop IIS but does not perform canonicalization, is affected by it.


RESOLUTION

The following files are available for download from the Microsoft Download Center. Click the file names below to download the files:

US English:
x86: Unschx4i.exe
Alpha: Unschx4a.exe
Simplified Chinese:
x86: Unschx4i.exe
Alpha: Unschx4a.exe
Traditional Chinese:
x86: Unschx4i.exe
Alpha: Unschx4a.exe
German:
x86: Unschx4i.exe
Alpha: Unschx4a.exe
Japanese:
x86: Unschx4i.exe
Alpha: Unschx4a.exe
Korean:
x86: Unschx4i.exe
Alpha: Unschx4a.exe
For more information about how to download files from the Microsoft Download Center, please visit the Download Center at the following Web address
http://www.microsoft.com/downloads/search.asp
and then click How to use the Microsoft Download Center.



STATUS

Microsoft has confirmed this to be a problem in Internet Information Server 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 6.


MORE INFORMATION

For related information about this problem, please visit the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/MS99-061.asp
For additional security-related information about Microsoft products, please visit the following Microsoft Web site:
http://www.microsoft.com/security/

Additional query words: iisscript asp iiswww iisvirtual

Keywords : kbNTOS400sp4 kbiis400 kbNTOS400sp6 kbNTOS400sp5
Version : winnt:3.0,4.0,4.0 SP3,4.0 SP4,4.0 SP5,4.0 SP6
Platform : winnt
Issue type : kbbug


Last Reviewed: December 22, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.