URL Encoded Characters and some Keywords Unfiltered

May 24, 2010 at 11:55 AM

Hi there,

I've implemented this ISAPI filter on my server, and I've been noticing in the IIS logs that URL encoded apostrophe ( %27 ) appears to be getting through, aswell as the keywords "UNION ALL SELECT" for MySQL. These appear in the IIS logs unfiltered. Thankfully the code for the site prevented these injection attempts from succeeding, but I was disappointed to see that this filter did nothing to prevent it from getting that far. Ive tried these same strings in the ASPtestApp that came with the filter, and it returned the string unfiltered.

Shouldn't this filter be checking for these things?