[Oisf-devel] Directory Traversal not fire when are encoded ?
Anoop Saldanha
anoopsaldanha at gmail.com
Sun Jul 8 06:20:57 UTC 2012
Afai see it, it shouldn't fire at all for any of the below cases,
since the ".." should be normalized. The bug would rather be suricata
firing when double encoded, than suricata not firing for the
non-encoded or single encoded case.
I think the path normalization seems to happen before the second level
of decoding happens on the uri, and maybe that's why it fires with
double encoded uris.
On Sun, Jul 8, 2012 at 2:56 AM, Rm Kml <rmkml at yahoo.fr> wrote:
> Hi,
>
> First, Congrats All for Suricata v1.3 !
>
> Im continue my testing, and maybe discovered then Suricata not fire when dir
> traversal are encoded like this:
>
> GET
> /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E//etc/vmware/hostd/vmInventory.xml
> HTTP/1.1
>
> (Thx Nmap Scripting Engine [nse])
>
> Someone confirm this please? (if yes Im open a new redmine ticket)
>
> ok if I create this rule:
> ... content:"../"; http_uri; ...
>
> 1) Suricata fire with "GET /sdk/../..."
>
> 2) Suricata not fire with (simple encoded) "GET /sdk/%2E%2E/..."
>
> 3) Suricata fire with (double encoded) "GET /sdk/%252E%252E%252F..."
>
> Regards
> Rmkml
>
> http://www.twitter.com/rmkml
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
--
Anoop Saldanha
More information about the Oisf-devel
mailing list