Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1677
Views
0
Helpful
6
Replies

IIS Double Decode Error

Go to solution
managed.security
Level 1
Level 1

‎08-30-2004 07:10 AM - edited ‎03-09-2019 08:38 AM

Hi

We are security SP, monitoring IDS's for a number of clients. Last week, I noticed something peculia.

We detected WWW IIS Double Decode Error, Victim Add 206.107.131.10. What really strange is that we detected this signature on all our client's IDS. The target IP resolves to BURSTMEDIA.COM network.

I suspect some sort of URL spoofing. If you have any suggestions or leads, please help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bkubesh
Level 1
Level 1
In response to bkubesh

‎09-09-2004 07:34 AM

I just did a telnet to burstmedia.com port 80, and it appears that the are running IIS 5.0 servers.

The IIS double decode vulnerability was fixed in IIS version 5. This is a case where tools like Cisco Threat Response (CTR) can be useful to validate the alarm.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
bkubesh
Level 1
Level 1

‎08-30-2004 10:26 AM

The double decode alarm will fire when any of the following 'protocol delimeter' characters appear to be double encoded in the URI section of a request only.

Null(0), Tab(9), Space(0x20), LF(0x0a), CR(0x0d)

What is the packet context data for the alarm?

0 Helpful

Go to solution
managed.security
Level 1
Level 1
In response to bkubesh

‎08-30-2004 11:25 AM

I think this is what you are asking...

GET /cgi-bin/ads/ad9611a.cgi/sz=0X0MN/v=1.0J/r=http%253A%252F%252Fwww.best-love-poems.com%252Fpoems.php%253Fid%253D148317/2837/RETURN-CODE/JS/ HTTP/1.0

My concern is that I get this Signature from all my different clients IDS's.

Thanks for reply

0 Helpful

Go to solution
bkubesh
Level 1
Level 1
In response to managed.security

‎09-09-2004 07:08 AM

A correction on my previous post. The IIS double decode alarm will fire anytime it finds doubly encoded characters in the URI of a request, specifically %25, which escapes a '%' character. There is a different alert for the special characters I mentioned before.

I would expect the above URI to fire the IIS double decode alarm due to the encoded '%' characters in your URI. We allow encoded characters as arguments to URI's, and they are typically in the argument section and seperated from the URI by a '?' or ';'. In this case they are embedded in the URI path.

The format of your example URI is non-standard for HTTP service according to RFC 2396. However webservices can use any method they wish to delimit data. That being said, the IIS double decode alert is only valid for IIS servers. If this alarm is coming from a single source, I would recommend adding a filter for it.

0 Helpful

Go to solution
bkubesh
Level 1
Level 1
In response to bkubesh

‎09-09-2004 07:34 AM

I just did a telnet to burstmedia.com port 80, and it appears that the are running IIS 5.0 servers.

The IIS double decode vulnerability was fixed in IIS version 5. This is a case where tools like Cisco Threat Response (CTR) can be useful to validate the alarm.

0 Helpful

Go to solution
stephblair
Level 1
Level 1

‎09-10-2004 02:02 PM

Burst Media is a "get paid to advertise" site for popup ads etc. Each time the user visits a site with those popups, it alerts Burst. You can use CSA to block the replies when a user hits a website with Burst ads on the page; however, the user may not see the popups--believe it or not, some people like popups. It sometimes involves spyware or cookies; run SpyBot or Adaware.

0 Helpful

Go to solution
managed.security
Level 1
Level 1
In response to stephblair

‎09-12-2004 04:27 AM

Thanks. This makes sense

0 Helpful
Customers Also Viewed These Support Documents