Full Disclosure mailing list archives
Re: New Santy-Worm attacks *all* PHP-skripts
From: Paul Laudanski <zx () castlecops com>
Date: Sun, 26 Dec 2004 01:33:10 -0500 (EST)
On Sat, 25 Dec 2004, Paul Laudanski wrote:
[code] SecFilter "visualcoders\.net/spy\.gif\?\&cmd" SecFilter ":/" [/code] Just in case the URL changes, the latter should still get all sorts of: http:// ftp:// Naturally, the latter also filters on %3a%2f
I've been noticing some filters out there that may be a little too all encompassing. Just giving a heads up. http://castlecops.com/article-5640-nested-0-0.html [quote] I've seen some folks filtering the echr or esystem from the GET requests. This is flawed, because they are often times preceded by %2525echr(x) Where x is any character. This turns into %.chr(x) Which is a concatenation in PHP, and the chr is a function call from php: http://php.net/chr So filtering on echr or esystem is not valid, as e is part of the hexadecimal code, and simply put, it can be replaced with another hex code, then the echr filter would not match. Filtering then on chr doesn't work either, because you can multiple false positive matches: chris christmas christ etc Instead of focusing on the good characters, you need to focus on the bad characters like the tick mark. [/quote]
No Warranty ----------- ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. CASTLECOPS, ITS AFFILIATES, AND/OR THEIR RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT. http://castlecops.com/article1.html
-- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 26)
- <Possible follow-ups>
- New Santy-Worm attacks *all* PHP-skripts Gary E. Miller (Dec 26)
- New Santy-Worm attacks *all* PHP-skripts Juergen Schmidt (Dec 29)
- Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 25)
- Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 27)
- Re: New Santy-Worm attacks *all* PHP-skripts Raistlin (Dec 26)
- Re: Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 26)
- Re: Re: New Santy-Worm attacks *all* PHP-skripts Steve Wray (Dec 29)
- Re: New Santy-Worm attacks *all* PHP-skripts Paul Laudanski (Dec 25)
- Re: New Santy-Worm attacks *all* PHP-skripts Pekka Savola (Dec 29)
- Re: New Santy-Worm attacks *all* PHP-skripts Juergen Schmidt (Dec 29)