[Oisf-devel] RE : Re: Directory Traversal not fire when are encoded ?

Victor Julien victor at inliniac.net
Wed Jul 11 08:03:12 UTC 2012


On 07/09/2012 06:30 PM, Anoop Saldanha wrote:
> Seeing 2 bugs basically,
> 
> 1. %2f isn't decoded.  We would have to test other characters to see
> if we have the same problem.
> 
> 2. If you have a double encoded path and it manages to double decode
> the path correctly, the path normalization on the double decoded path
> doesn't happen.
> 

Can you open a ticket for this with 1.3.1 as target?

Cheers,
Victor

> On Mon, Jul 9, 2012 at 12:18 AM, rmkml at yahoo.fr <rmkml at yahoo.fr> wrote:
>> thx Anoop,
>> How Suricata handle http dir traversal encoded or not ?
> 
> If unencoded, single encoded - path normalization is okay.  Problem
> with double encoded paths.
> 
>> Regards
>> Rmkml
>>
>>
>>
>> -------- Original message -------- Subject: Re: [Oisf-devel] Directory
>> Traversal not fire when are encoded ? From: Anoop Saldanha To:
>> rmkml at yahoo.fr CC: Oisf-devel at openinfosecfoundation.org
>>
>> Afai see it, it shouldn't fire at all for any of the below cases,
>> since the ".." should be normalized.  The bug would rather be suricata
>> firing when double encoded, than suricata not firing for the
>> non-encoded or single encoded case.
>>
>> I think the path normalization seems to happen before the second level
>> of decoding happens on the uri, and maybe that's why it fires with
>> double encoded uris.
>>
>> On Sun, Jul 8, 2012 at 2:56 AM, Rm Kml <rmkml at yahoo.fr> wrote:
>>> Hi,
>>>
>>> First, Congrats All for Suricata v1.3 !
>>>
>>> Im continue my testing, and maybe discovered then Suricata not fire when
>>> dir
>>> traversal are encoded like this:
>>>
>>> GET
>>>
>>> /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E//etc/vmware/hostd/vmInventory.xml
>>> HTTP/1.1
>>>
>>> (Thx Nmap Scripting Engine [nse])
>>>
>>> Someone confirm this please? (if yes Im open a new redmine ticket)
>>>
>>> ok if I create this rule:
>>>  ... content:"../"; http_uri; ...
>>>
>>> 1) Suricata fire with "GET /sdk/../..."
>>>
>>> 2) Suricata not fire with (simple encoded) "GET /sdk/%2E%2E/..."
>>>
>>> 3) Suricata fire with (double encoded) "GET /sdk/%252E%252E%252F..."
>>>
>>> Regards
>>> Rmkml
>>>
>>> http://www.twitter.com/rmkml
>>>
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>>
>>
>> --
>> Anoop Saldanha
> 
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------






More information about the Oisf-devel mailing list