lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 3 Jun 2006 12:12:57 -0400
From: "M. Dodge Mumford" <dodge@....net>
To: Sigint Consulting <info@...int-consulting.com>
Cc: dailydave@...ts.immunitysec.com, bugtraq@...urityfocus.com
Subject: Re: New Snort Bypass - Patch - Bypass of Patch

[Sorry to reply to my own post, but...]

M. Dodge Mumford said:
> Sigint Consulting said:
> > perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc
> > 192.168.1.3 80
> > 
> > No alert is generated from the string above.
> 
> [...]
> 
> > We are not sure how much this may buy an attacker as the CR character
> > may mess up any requests to the webserver, further research is needed
> > on this.
> 
> I performed this research while developing NFR's web signatures, and found
> that all web servers I tested (several years ago) handled end-of-lines using
> "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that
> interprets "index.php" in the example above as an actual filename, I for one
> would be very interested in knowing about it.

Apparently my memory is failing. If I performed this test, I remembered the
results incorrectly.  Mea culpa.


-- 

Dodge

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ