| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200706200919.49311.fdlist@digitaloffense.net> Date: Wed, 20 Jun 2007 09:19:49 -0500 From: H D Moore <fdlist@...italoffense.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: IPS Evasion with the Apache HTTP Server Agreed. The point was that IPS vendors have put a large amount of effort into normalizing IIS-specific encodings, but fail to handle Apache-specific quirks. The note in RFC 2616, Section 4.1, refers to a single CRLF before the Request-Line. Prepending multiple CRLFs or non-printable characters (as coderman mentioned) falls outside of the RFC and I consider them Apache-specific HTTP evasions. Jamie has a good point about the PHP RFI signatures. Many IPS products (sorry, I don't want to pick on any particular vendor) will look for a http:// URL to detect RFI attacks. Replacing http with one of the other protocol handlers (zip, ftp, file, smb on windows, etc) will evade many of these signatures. The php://filter/resource trick is a nice hack for evading existing signatures while still using a http URL for the included PHP code. -HD On Wednesday 20 June 2007 08:50, 3APA3A wrote: > You simply MUST accept the risk there is always the way to > bypass content filtering. IPS like doesn't protect your network by > itself. IPS is nothing, but a tool. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists