Bugtraq mailing list archives
Re: New Snort Bypass - Patch - Bypass of Patch
From: "M. Dodge Mumford" <dodge () nfr net>
Date: Sat, 3 Jun 2006 12:12:57 -0400
[Sorry to reply to my own post, but...] M. Dodge Mumford said:
Sigint Consulting said:perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc 192.168.1.3 80 No alert is generated from the string above.[...]We are not sure how much this may buy an attacker as the CR character may mess up any requests to the webserver, further research is needed on this.I performed this research while developing NFR's web signatures, and found that all web servers I tested (several years ago) handled end-of-lines using "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that interprets "index.php" in the example above as an actual filename, I for one would be very interested in knowing about it.
Apparently my memory is failing. If I performed this test, I remembered the results incorrectly. Mea culpa. -- Dodge
Attachment:
_bin
Description:
Current thread:
- New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 02)
- Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 02)
- Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 04)
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 04)
- Re: New Snort Bypass - Patch - Bypass of Patch M. Dodge Mumford (Jun 02)