Microsoft KB Archive/246401

= MS99-061: IIS May Improperly Parse Specific Escape Characters =

Article ID: 246401

Article Last Modified on 9/4/2007

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Site Server 3.0 Standard Edition
 * Microsoft Windows NT 4.0 Service Pack 6
 * Microsoft Windows NT 4.0 Service Pack 3
 * Microsoft Windows NT 4.0 Service Pack 4
 * Microsoft Windows NT 4.0 Service Pack 5

-



This article was previously published under Q246401



SYMPTOMS
RFC 1738 specifies that Web Servers should allow hexadecimal digits to be input in URLs by preceding them with the so-called "escape" character, a percent sign.

Microsoft Internet Information Server (IIS) complies with the RFC 1738 specification, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.

It is possible when using the Internet Database Connector (IDC) to create links, or you are using the return value arguments passed to other documents. When this happens you may be unable to pass arguments that contain spaces.

IIS 4.0 may improperly translate non-hexadecimal characters preceded by a percent sign. For example %3p is translated into an \\\"I\\\".

The vulnerability does not affect IIS; even specifying a file name through this alternate method does not bypass IIS access controls. However, third-party software that runs atop IIS but does not perform canonicalization, is affected by it.



Windows NT 4.0
The following files are available for download from the Microsoft Download Center:

US English:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

Dutch:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

French:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

German:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

Japanese:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

Korean:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

Portuguese (Brazilian)

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

Simplified Chinese:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

Spanish:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

Traditional Chinese:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

Swedish:

x86: Download Unschx4i.exe now

Alpha: Download Unschx4a.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Microsoft Windows NT Server version 4.0, Terminal Server Edition
To resolve this problem, obtain the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For additional information about the SRP, click the article number below to view the article in the Microsoft Knowledge Base:

317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package



STATUS
Microsoft has confirmed that this is a problem in Internet Information Server 4.0.



MORE INFORMATION
For related information about this problem, please visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS99-061.mspx

For additional security-related information about Microsoft products, please visit the following Microsoft Web site:

http://www.microsoft.com/security/

Additional query words: iisscript asp iiswww iisvirtual security_patch tsesrp

Keywords: kbhotfixserver kbqfe kbbug kbfix kbsecurity KB246401

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.