Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: H D Moore (fdlistdigitaloffense.net)
Date: Wed Jun 20 2007 - 09:19:49 CDT
Agreed. The point was that IPS vendors have put a large amount of effort
into normalizing IIS-specific encodings, but fail to handle
The note in RFC 2616, Section 4.1, refers to a single CRLF before the
Request-Line. Prepending multiple CRLFs or non-printable characters (as
coderman mentioned) falls outside of the RFC and I consider them
Apache-specific HTTP evasions.
Jamie has a good point about the PHP RFI signatures. Many IPS products
(sorry, I don't want to pick on any particular vendor) will look for a
http:// URL to detect RFI attacks. Replacing http with one of the other
protocol handlers (zip, ftp, file, smb on windows, etc) will evade many
of these signatures. The php://filter/resource trick is a nice hack for
evading existing signatures while still using a http URL for the included
On Wednesday 20 June 2007 08:50, 3APA3A wrote:
> You simply MUST accept the risk there is always the way to
> bypass content filtering. IPS like doesn't protect your network by
> itself. IPS is nothing, but a tool.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/