|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Dailydave] Testing the quickness of signature writers
From: Dave Korn (dave.korn
artimi.com)
Date: Tue May 02 2006 - 13:59:25 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 02 May 2006 19:51, Brian Caswell wrote:
> On May 2, 2006, at 2:20 PM, M. Shirk wrote:
>>>>> pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U";
>>>
>>> A forward slash, followed by any one char from the set ('?', ';', '&')
>>> followed by the literal text "module=" followed by any number (zero or
>>> more) alphanumerics followed by any char that is neither ';' nor '&'. All
>>> matched against the decoded URI buffer.
>>
>> That space after the \? will be evaluated in the character set and
>> the forward slash acts as the bracket for the pcre expression.
>
> In the rule I originally sent, there was no space in the character
> set. Probably added accidentally when dave copied it in his response.
Ah, yes, I didn't unwrap the lines correctly; mea culpa.
BTW I haven't read the original advisory, so I dunno: doesn't this only
check the first cgi param after the end of the path? Wouldn't it work if you
replaced
http://server/path/?module=EVIL*GOES*HERE&otherparams=stuff&yetmore=more
with
http://server/path/?foo=bar&module=EVIL*GOES*HERE&otherparams=stuff&yetmore=mo
re
or some other re-ordering?
cheers,
DaveK
--
Can't think of a witty .sigline today....
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]