lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 26 Mar 2013 18:47:02 -0400
From: Jeffrey Walton <noloader@...il.com>
To: safe3q@...il.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Report OWASP WAF Naxsi bypass Vulnerability

Tracked through issue 65
(http://code.google.com/p/naxsi/issues/detail?id=65), fixed at
check-in R545 (http://code.google.com/p/naxsi/source/detail?spec=svn545&r=545).

On Mon, Mar 25, 2013 at 10:00 PM,  <safe3q@...il.com> wrote:
> OWASP WAF Naxsi bypass Vulnerability
>
> Certain unspecified input is not properly handed in
> naxsi_src/naxsi_utils.c naxsi_unescape_uri(u_char **dst, u_char **src,
> size_t size, ngx_uint_t type) before being used to filtered. This can
> be exploited to bypass some WAF rules.
>
> Naxsi site
> https://code.google.com/p/naxsi/
>
> Affected
> All the version
>
> My site
> http://safe3.com.cn/
>
> My nick name is Safe3
>
> It happens like that,the naxsi_unescape_uri function process the % url
> decode,if the next char after the % is a hex char and not after the
> hex char,then it will drop the % and the next char.So if we input a
> sql keyword "s%elect",it will come to "slect" instead,this is not the
> standard url decode way.Such as the IIS asp,it will process the
> "s%elect" as a result of "select",so we can bypass some
> WAF rules just like that.
>
> I afford a standard url decode function patch as the follow to fix this issue:
> ...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ