Vulnerability Development mailing list archives
Re: thttpd-2.24
From: Nicob <nicob () nicob net>
Date: Fri, 14 Nov 2003 12:10:16 +0100
On Mon, 2003-11-10 at 08:50, Byron Sonne wrote:
If this '/' is always supposed to be present (i.e. by protocol or spec) than one could assume it is not hugely relevant (it acts as a delimeter) so somehwere some code eliminates it, and generalized it as simply 'remove the first character' instead of 'check for a slash and remove it if present'.
And this can be used to avoid signature-based IDS when attacking thttpd. For example, requests like "GET .cgi-bin/phf HTTP/1.0" will not be detected as attacks if the IDS sig is the exact string "/cgi-bin/phf". -- Nicob <nicob () nicob net>
Current thread:
- thttpd-2.24 methodic (Nov 09)
- Re: thttpd-2.24 Byron Sonne (Nov 10)
- Re: thttpd-2.24 Nicob (Nov 14)
- Re: thttpd-2.24 Byron Sonne (Nov 10)