Dailydave mailing list archives
Re: New Snort Bypass - Patch - Bypass of Patch
From: Sigint Consulting <info () sigint-consulting com>
Date: Mon, 05 Jun 2006 11:50:18 -0700
Apache 2 ignores any combination of the following bytes before the URI: 0x09 0x0b 0x0c 0x0d 0x20 (man isspace)
If you specify 0x0a before the URI, it causes Apache to truncate the request, so in most cases this results in the index.html page being returned. Try your 0x0a example again with a non-index.html URI and it will still serve up the main page.
HD, You are correct, the request using \x0a is truncated and index.html is returned, my apologies. However the \x0d character is still accepted and the proper page is returned. I cannot confirm on anything except apache 1.3.34 at the moment. $ perl -e 'print "GET \x0d/html/1.html HTTP/1.0\n\r\n"'|nc 192.168.1.3 80 HTTP/1.1 200 OK Date: Wed, 07 Jun 2006 08:42:53 GMT Server: Apache/1.3.34 (Debian) Last-Modified: Wed, 07 Jun 2006 08:42:37 GMT ETag: "6f648-16-4486917d" Accept-Ranges: bytes Content-Length: 22 Connection: close Content-Type: text/html; charset=iso-8859-1 this is a test 1.html Chris -------------------------------- www.sigint-consulting.com info () sigint-consulting com Charlotte, North Carolina Information Security Consulting --------------------------------
Current thread:
- New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 02)
- Message not available
- Message not available
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Message not available
- <Possible follow-ups>
- Re: New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 03)
- Re: Re: New Snort Bypass - Patch - Bypass of Patch H D Moore (Jun 05)
- Re: New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 05)