This article applies to:
Symptoms:
- Several sets of periods appear in the Top Pages table of my Firewall Suite report.
Causes:
Two periods together usually denote the ability to move "up" in a directory structure. This is illustrated in the following series of commands:
C:\Directory\Subdirectory> cd ..
C:\Directory>
However, this syntax is typically only used at an interactive prompt - it should never be seen in an HTTP request. Therefore, it can be confusing to see entries containing this syntax in the Top Pages report. Consider the following image from a Top Pages report:
The Top Pages listing shown above represents an attempt to gain remote privileges on an IIS server - in other words, a "hack" attempt.
In very early versions of IIS, it was possible to see documents above the wwwroot directory using the ../ syntax. For instance, a hacker could enter a URL such as:
http://www.victim.com/../../somefile.txt
...and his or her browser would display a file that was located in the C:\ directory on the remote web server. This behavior was characterized as a bug by Microsoft and was patched in a security update. This bug was only present on very early versions of IIS.
More recently, a newer version of the same bug has appeared, which is generally referred to as the IIS Unicode exploit. In this attack, hackers replace the central / character in /../../ with a set of unicode characters which are interpreted as a slash. This vulnerability was also patched by Microsoft, but much more recently.
Information:
If records are seen like this in the reports or in log files, it would be wise to make sure that the IIS server has been updated with all security fixes and service pack releases.
- This article was previously published as:
- NETIQKB2594