| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Jun 2006 16:47:51 +0530 From: "Pukhraj Singh" <pukhraj.singh@...il.com> To: "M. Dodge Mumford" <dodge@....net> Cc: "Sigint Consulting" <info@...int-consulting.com>, dailydave@...ts.immunitysec.com, bugtraq@...urityfocus.com Subject: Re: New Snort Bypass - Patch - Bypass of Patch Apache uses a modified version of the isspace() macro. So it allows \f,\n,\r,\t (\v is not allowed, as far as I can recall) as whitespace. I know this affected lot of IPSes. Thanks, Pukhraj On 6/3/06, M. Dodge Mumford <dodge@....net> wrote: > [Sorry to reply to my own post, but...] > > M. Dodge Mumford said: > > Sigint Consulting said: > > > perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc > > > 192.168.1.3 80 > > > > > > No alert is generated from the string above. > > > > [...] > > > > > We are not sure how much this may buy an attacker as the CR character > > > may mess up any requests to the webserver, further research is needed > > > on this. > > > > I performed this research while developing NFR's web signatures, and found > > that all web servers I tested (several years ago) handled end-of-lines using > > "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that > > interprets "index.php" in the example above as an actual filename, I for one > > would be very interested in knowing about it. > > Apparently my memory is failing. If I performed this test, I remembered the > results incorrectly. Mea culpa. > > > -- > > Dodge > > >
Powered by blists - more mailing lists