[Oisf-devel] RE : Re: Directory Traversal not fire when are encoded ?

Anoop Saldanha anoopsaldanha at gmail.com
Mon Jul 9 16:30:43 UTC 2012 

Seeing 2 bugs basically,

1. %2f isn't decoded.  We would have to test other characters to see
if we have the same problem.

2. If you have a double encoded path and it manages to double decode
the path correctly, the path normalization on the double decoded path
doesn't happen.

On Mon, Jul 9, 2012 at 12:18 AM, rmkml at yahoo.fr <rmkml at yahoo.fr> wrote:
> thx Anoop,
> How Suricata handle http dir traversal encoded or not ?

If unencoded, single encoded - path normalization is okay.  Problem
with double encoded paths.

> Regards
> Rmkml
>
>
>
> -------- Original message -------- Subject: Re: [Oisf-devel] Directory
> Traversal not fire when are encoded ? From: Anoop Saldanha To:
> rmkml at yahoo.fr CC: Oisf-devel at openinfosecfoundation.org
>
> Afai see it, it shouldn't fire at all for any of the below cases,
> since the ".." should be normalized.  The bug would rather be suricata
> firing when double encoded, than suricata not firing for the
> non-encoded or single encoded case.
>
> I think the path normalization seems to happen before the second level
> of decoding happens on the uri, and maybe that's why it fires with
> double encoded uris.
>
> On Sun, Jul 8, 2012 at 2:56 AM, Rm Kml <rmkml at yahoo.fr> wrote:
>> Hi,
>>
>> First, Congrats All for Suricata v1.3 !
>>
>> Im continue my testing, and maybe discovered then Suricata not fire when
>> dir
>> traversal are encoded like this:
>>
>> GET
>>
>> /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E//etc/vmware/hostd/vmInventory.xml
>> HTTP/1.1
>>
>> (Thx Nmap Scripting Engine [nse])
>>
>> Someone confirm this please? (if yes Im open a new redmine ticket)
>>
>> ok if I create this rule:
>>  ... content:"../"; http_uri; ...
>>
>> 1) Suricata fire with "GET /sdk/../..."
>>
>> 2) Suricata not fire with (simple encoded) "GET /sdk/%2E%2E/..."
>>
>> 3) Suricata fire with (double encoded) "GET /sdk/%252E%252E%252F..."
>>
>> Regards
>> Rmkml
>>
>> http://www.twitter.com/rmkml
>>
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
> --
> Anoop Saldanha



-- 
Anoop Saldanha

More information about the Oisf-devel mailing list