I originally sent this message to bugtraq, but they did not post it. Instead they stuck it in their vulnerability database and removed all of my comments and example. So much for full disclosure... Flicks Software just released a product named Titan[1]. It is described as an application firewall (i.e., it is an ISAPI filter for IIS that can do varying levels of protocol inspection). One of the features allows a user to filter on patterns within the URL for things such as cmd.exe. The problem is the guys at Flicks obviously don't understand web security (which is scary because they have been developing AuthentiX for some time now, not to mention the version of Titan I had was 5.5a7, I am baffled at how a 5th major revision piece of software can be so fundamentally broken). I started off by placing cmd.exe into an executeable folder on my web server and enabling the Titan security. As expected, I received an error message when attempting to access the file. I then proceeded to try a trick my little sister showed me. I URL encoded some of the characters in the URL like so: http://www.example.com/scripts/cmd%2Eexe?/C+dir+c:%5C Would you believe that I got a directory listing back? I did. What further disturbs me is that this has already been done, by Microsoft and their arch rivals -- eEye[2]. eEye was first to market with their SecureIIS product (~$400). I suspect that M$ then released URLScan[3] for free as a jab at all the M$ advisories eEye releases. So there are two decent products out there and Flicks releases this piece of JUNK and thinks they can get ~$400 a pop. HA! What a joke. [1] http://www.flicks.com/titan [2] http://www.eeye.com [3] http://www.google.com?q=urlscan