[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1a9f19350606050417n6ad07dcaw1e751ff28eb446ae@mail.gmail.com>
Date: Mon, 5 Jun 2006 16:47:51 +0530
From: "Pukhraj Singh" <pukhraj.singh@...il.com>
To: "M. Dodge Mumford" <dodge@....net>
Cc: "Sigint Consulting" <info@...int-consulting.com>,
dailydave@...ts.immunitysec.com, bugtraq@...urityfocus.com
Subject: Re: New Snort Bypass - Patch - Bypass of Patch
Apache uses a modified version of the isspace() macro. So it allows
\f,\n,\r,\t (\v is not allowed, as far as I can recall) as whitespace.
I know this affected lot of IPSes.
Thanks,
Pukhraj
On 6/3/06, M. Dodge Mumford <dodge@....net> wrote:
> [Sorry to reply to my own post, but...]
>
> M. Dodge Mumford said:
> > Sigint Consulting said:
> > > perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc
> > > 192.168.1.3 80
> > >
> > > No alert is generated from the string above.
> >
> > [...]
> >
> > > We are not sure how much this may buy an attacker as the CR character
> > > may mess up any requests to the webserver, further research is needed
> > > on this.
> >
> > I performed this research while developing NFR's web signatures, and found
> > that all web servers I tested (several years ago) handled end-of-lines using
> > "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that
> > interprets "index.php" in the example above as an actual filename, I for one
> > would be very interested in knowing about it.
>
> Apparently my memory is failing. If I performed this test, I remembered the
> results incorrectly. Mea culpa.
>
>
> --
>
> Dodge
>
>
>
Powered by blists - more mailing lists