BugTraq
New Snort Bypass - Patch - Bypass of Patch Jun 02 2006 05:26AM
Sigint Consulting (info sigint-consulting com) (1 replies)
Re: New Snort Bypass - Patch - Bypass of Patch Jun 02 2006 11:16PM
M. Dodge Mumford (dodge nfr net) (1 replies)
Re: New Snort Bypass - Patch - Bypass of Patch Jun 03 2006 04:12PM
M. Dodge Mumford (dodge nfr net) (1 replies)
[Sorry to reply to my own post, but...]

M. Dodge Mumford said:
> Sigint Consulting said:
> > perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc
> > 192.168.1.3 80
> >
> > No alert is generated from the string above.
>
> [...]
>
> > We are not sure how much this may buy an attacker as the CR character
> > may mess up any requests to the webserver, further research is needed
> > on this.
>
> I performed this research while developing NFR's web signatures, and found
> that all web servers I tested (several years ago) handled end-of-lines using
> "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that
> interprets "index.php" in the example above as an actual filename, I for one
> would be very interested in knowing about it.

Apparently my memory is failing. If I performed this test, I remembered the
results incorrectly. Mea culpa.

--

Dodge
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFEgbUJ4Cw5+cTF6YkRAuCoAKCUlJvUTRmaFLPY1DPAWkzVyqFlKwCfYgYI
aWq5+SDOCR7ITFS5dP+MERc=
=y85g
-----END PGP SIGNATURE-----

[ reply ]
Re: New Snort Bypass - Patch - Bypass of Patch Jun 05 2006 11:17AM
Pukhraj Singh (pukhraj singh gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus