I originally sent this message to bugtraq, but they did not post 
it.  Instead they stuck it in their vulnerability database and 
removed all of my comments and example.  So much for full disclosure...

Flicks Software just released a product named Titan[1].  It is 
described as an application firewall (i.e., it is an ISAPI filter for 
IIS that can do varying levels of protocol inspection).  One of the 
features allows a user to filter on patterns within the URL for things 
such as cmd.exe.  

The problem is the guys at Flicks obviously don't understand web 
security (which is scary because they have been developing AuthentiX 
for some time now, not to mention the version of Titan I had was 5.5a7, 
I am baffled at how a 5th major revision piece of software can be so 
fundamentally broken).

I started off by placing cmd.exe into an executeable folder on my 
web server and enabling the Titan security.  As expected, I received 
an error message when attempting to access the file.  I then proceeded
to try a trick my little sister showed me.  I URL encoded some of 
the characters in the URL like so:

  http://www.example.com/scripts/cmd%2Eexe?/C+dir+c:%5C

Would you believe that I got a directory listing back?  I did.

What further disturbs me is that this has already been done, by 
Microsoft and their arch rivals -- eEye[2].  eEye was first to market 
with their SecureIIS product (~$400).  I suspect that M$ then 
released URLScan[3] for free as a jab at all the M$ advisories eEye 
releases.  So there are two decent products out there and Flicks
releases this piece of JUNK and thinks they can get ~$400 a pop.
HA!  What a joke.


[1] http://www.flicks.com/titan
[2] http://www.eeye.com
[3] http://www.google.com?q=urlscan