IIS Escape Char Parsing
Reported December 22, 1999 by ACROS Security Team
According to Microsoft"s bulletin, "RFC 1738 specifies that web servers must allow hexadecimal digits to be input in URLs by preceding them with the so-called "escape" character, a percent sign. IIS complies with this specification, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.
Discovered by ACROS Security Team