2

We have a problem in a specific server. All plus signs posted to the application are replaced with spaces - that's in POST and GET, and on all pages on that site.
As a test case I have this little page (it's an ASP server): 

<html>
<body>
  <form method="post">
    <input type="text" name="Plus" id="Plus" />
    <input type="submit" />
  </form>
  Previous Value: <%= request("Plus") %><br />
  Query String: <%= request.querystring %>
</body>
</html>

On every other server this works well, but on one server pluses are replaced with spaces.
Example: for the input "1 2+3" - request("Plus") is "1 2 3", and the Query String is "1+2+3". No good. Other characters seem to be decoding correctly.
It should be said someone had tried to 'harden' this server against attacks, so obscure IIS options may be turned on (though we did remove the ISAPI filter).
Thanks.

UPDATE: It turns out there's another filter installed, the SQL Injection Filter ISAPIClipSQLInjection.dll from http://www.codeplex.com/IIS6SQLInjection .
The filter is buggy - it replaces valid characters from POST and GET:

  1. Plus signs are replaced with spaces: "1%2B2" -> "1+2", same as "1 2"
  2. Semicolons are replaced with Commas: "hello;" -> "hello,"

A newer version of the filter (2.0b) does not fix this, but allows to exclude certain pages. Since it is installed in production we decided not to remove the filter, we used javascript to change all pluses to "&#43 " (with space and not a semicolon).
Not the optimal solution, but that's what the boss wanted.

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
Kobi
  • 135,331
  • 41
  • 252
  • 292

2 Answers2

1

Consider Ascii Code. In the place of a plus sign use its ascii code.It would be chr(43). Both asp and sql would understand this.

here is a table with all ascii codes. http://www.asciitable.com/

Eric
  • 7,930
  • 17
  • 96
  • 128
  • That's not an excellent solution, but it works. I'll accept your solution because that little patch is what we did eventually. Thanks anyway. – Kobi May 12 '09 at 12:55
  • Not to get too personal, but I noticed you live in Israel. How is it out there as far as living. Is it as bad as our Media portrays it? I want to go out there soon because I love the culture and the people. – Eric May 12 '09 at 13:20
  • It's a big fun, but this is hardly the place to talk about that. Feel free to contact me by any way (my blog has a few links) – Kobi May 12 '09 at 14:52
  • @Eric I see that `chr()` works with integer. Is there any solution for string? – VijayRana May 05 '22 at 04:19
0

Well, this also confused me. till I saw this post: Server.URLEncode started to replace blank with plus ("+") instead of percent-20 ("%20")

in short:

  • RFC-1866 (around 1995), declared that blank " " should be parsed to "+" in request body.
  • RFC-3986 (2005, Jan) declared that blank " "should be parsed to "%20"

and in ASP framework, it supports the RFC-1866, and sometimes mixed RFC-3986(seems) , so the parameter %2b firstly converted to + (normal ascii/urldecode rule , then it converted to ( RFC-1866 rule )

This is my guess, I don't care old-dead tech, for more details, see

Community
  • 1
  • 1
Siwei
  • 19,858
  • 7
  • 75
  • 95