lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0412260129190.19642-100000@bugsbunny.castlecops.com>
Date: Sun, 26 Dec 2004 01:33:10 -0500 (EST)
From: Paul Laudanski <zx@...tlecops.com>
To: bugs@...uritytracker.com, <bugtraq@...urityfocus.com>,
        <full-disclosure@...ts.netsys.com>, <moderators@...db.org>,
        <news@...uriteam.com>, <vuln@...unia.com>, <vulnwatch@...nwatch.org>
Subject: Re: New Santy-Worm attacks *all* PHP-skripts


On Sat, 25 Dec 2004, Paul Laudanski wrote:

> [code]
> SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
> SecFilter ":/"
> [/code]
> 
> Just in case the URL changes, the latter should still get all sorts of:
> 
> http://
> ftp://
> 
> Naturally, the latter also filters on 
> 
> %3a%2f

I've been noticing some filters out there that may be a little too all 
encompassing.  Just giving a heads up.

http://castlecops.com/article-5640-nested-0-0.html

[quote]
I've seen some folks filtering the echr or esystem from the GET requests. 
This is flawed, because they are often times preceded by 

%2525echr(x)

Where x is any character.

This turns into

%.chr(x)

Which is a concatenation in PHP, and the chr is a function call from php:

http://php.net/chr

So filtering on echr or esystem is not valid, as e is part of the 
hexadecimal code, and simply put, it can be replaced with another hex 
code, then the echr filter would not match.

Filtering then on chr doesn't work either, because you can multiple false 
positive matches:

chris
christmas
christ
etc 

Instead of focusing on the good characters, you need to focus on the bad 
characters like the tick mark.
[/quote]

> 
> No Warranty
> -----------
> ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES ARE PROVIDED
> "AS IS" WITHOUT WARRANTY OF ANY KIND. CASTLECOPS, ITS AFFILIATES,
> AND/OR THEIR RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES
> AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS,
> AND SERVICES, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF
> MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND
> NONINFRINGEMENT. http://castlecops.com/article1.html

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ