Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

file scheme handling of the "|" character

CW
Chris Weber
Tue, Jun 21, 2011 6:45 PM

While on the topic of URI parsing, were you all aware of this behavior?

http://www.lookout.net/2011/06/20/some-browsers-convert-pipe-to-colon-in-the
-file-scheme/

I know someone testing Webkit was as it's in their list of test cases.  But
I did not realize that some browsers, MSIE and Chrome, will literally
convert the "|" to a ":" in the drive letter of the path component.

I can see this being a problem for security filters, but can't think of
anything specific.

-Chris

While on the topic of URI parsing, were you all aware of this behavior? http://www.lookout.net/2011/06/20/some-browsers-convert-pipe-to-colon-in-the -file-scheme/ I know someone testing Webkit was as it's in their list of test cases. But I did not realize that some browsers, MSIE and Chrome, will literally convert the "|" to a ":" in the drive letter of the path component. I can see this being a problem for security filters, but can't think of anything specific. -Chris
RA
Robert A.
Tue, Jun 21, 2011 7:53 PM

While on the topic of URI parsing, were you all aware of this behavior?

http://www.lookout.net/2011/06/20/some-browsers-convert-pipe-to-colon-in-the
-file-scheme/

I know someone testing Webkit was as it's in their list of test cases.  But
I did not realize that some browsers, MSIE and Chrome, will literally
convert the "|" to a ":" in the drive letter of the path component.

I can see this being a problem for security filters, but can't think of
anything specific.

Interesting. Here's another odd behavior that I couldn't convert to a
abuse case, but may be useful to someone.

http://www.cgisecurity.com/2010/03/random-firefox-url-handling.html

Regards,

  • Robert

-Chris

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

> While on the topic of URI parsing, were you all aware of this behavior? > > http://www.lookout.net/2011/06/20/some-browsers-convert-pipe-to-colon-in-the > -file-scheme/ > > I know someone testing Webkit was as it's in their list of test cases. But > I did not realize that some browsers, MSIE and Chrome, will literally > convert the "|" to a ":" in the drive letter of the path component. > > I can see this being a problem for security filters, but can't think of > anything specific. Interesting. Here's another odd behavior that I couldn't convert to a abuse case, but may be useful to someone. http://www.cgisecurity.com/2010/03/random-firefox-url-handling.html Regards, - Robert > > -Chris > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >
AH
Achim Hoffmann
Wed, Jun 22, 2011 8:17 PM

Am 21.06.2011 20:45, schrieb Chris Weber:

While on the topic of URI parsing, were you all aware of this behavior?

http://www.lookout.net/2011/06/20/some-browsers-convert-pipe-to-colon-in-the
-file-scheme/

I know someone testing Webkit was as it's in their list of test cases.  But
I did not realize that some browsers, MSIE and Chrome, will literally
convert the "|" to a ":" in the drive letter of the path component.

I can see this being a problem for security filters, but can't think of
anything specific.

what about ADS - alternate data stream?

http://some.tld/file|wget.exe

feel free to complete the exploit ;-)

Am 21.06.2011 20:45, schrieb Chris Weber: > While on the topic of URI parsing, were you all aware of this behavior? > > http://www.lookout.net/2011/06/20/some-browsers-convert-pipe-to-colon-in-the > -file-scheme/ > > I know someone testing Webkit was as it's in their list of test cases. But > I did not realize that some browsers, MSIE and Chrome, will literally > convert the "|" to a ":" in the drive letter of the path component. > > I can see this being a problem for security filters, but can't think of > anything specific. what about ADS - alternate data stream? http://some.tld/file|wget.exe feel free to complete the exploit ;-)
Empathy v1.0   2024 ©Harmonylists.com