W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2006

An easy way to kill IIS 5.1

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 30 Nov 2006 14:08:24 +0100
Message-ID: <456ED7C8.9010906@gmx.de>
To: WebDAV <w3c-dist-auth@w3.org>

Hi,

I'm posting this here hoping that somebody from MSFT who cares may read it.

There's a simple way to render a IIS (5.1) WebDAV resource unusable for 
conforming clients - just set a custom property containing the Unicode 
code point U+10000.

The result is a property that you can't access anymore using a client 
based on a standards-conforming XML parser, because IIS returns an octet 
sequence that isn't legal UTF-8:

	ED A0 80 ED B0 80

Here's a script to test this with:

+++
var req = new ActiveXObject ("MSXML2.XMLHTTP");
var out = new ActiveXObject ("MSXML2.DOMDocument");

req.open ("PROPPATCH", WScript.Arguments(0), false, 
WScript.Arguments(1), WScript.Arguments(2));
req.setRequestHeader ("Content-Type", "text/xml");
req.send ("<propertyupdate 
xmlns='DAV:'><set><prop><foobar>&#65536;</foobar></prop></set></propertyupdate>");

WScript.Echo (req.status);
WScript.Echo (req.getAllResponseHeaders());
WScript.Echo (req.responseText);
+++

(usage: cscript scriptname.js URI username password)

Best regards, Julian
Received on Thursday, 30 November 2006 13:08:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT