[WEB SECURITY] file scheme handling of the "|" character

Achim Hoffmann websec10 at sic-sec.org
Wed Jun 22 16:17:48 EDT 2011


Am 21.06.2011 20:45, schrieb Chris Weber:
> While on the topic of URI parsing, were you all aware of this behavior?
> 
> http://www.lookout.net/2011/06/20/some-browsers-convert-pipe-to-colon-in-the
> -file-scheme/
> 
> I know someone testing Webkit was as it's in their list of test cases.  But
> I did not realize that some browsers, MSIE and Chrome, will literally
> convert the "|" to a ":" in the drive letter of the path component.
> 
> I can see this being a problem for security filters, but can't think of
> anything specific.

what about ADS - alternate data stream?

	http://some.tld/file|wget.exe

feel free to complete the exploit ;-)




More information about the websecurity mailing list