[Oisf-devel] RE : Re: Directory Traversal not fire when are encoded ?
Anoop Saldanha
anoopsaldanha at gmail.com
Wed Jul 11 13:07:36 UTC 2012
On Wed, Jul 11, 2012 at 1:33 PM, Victor Julien <victor at inliniac.net> wrote:
> On 07/09/2012 06:30 PM, Anoop Saldanha wrote:
>> Seeing 2 bugs basically,
>>
>> 1. %2f isn't decoded. We would have to test other characters to see
>> if we have the same problem.
>>
>> 2. If you have a double encoded path and it manages to double decode
>> the path correctly, the path normalization on the double decoded path
>> doesn't happen.
>>
>
> Can you open a ticket for this with 1.3.1 as target?
>
Done. Tracking these 2 with #503 and #504.
> Cheers,
> Victor
>
>> On Mon, Jul 9, 2012 at 12:18 AM, rmkml at yahoo.fr <rmkml at yahoo.fr> wrote:
>>> thx Anoop,
>>> How Suricata handle http dir traversal encoded or not ?
>>
>> If unencoded, single encoded - path normalization is okay. Problem
>> with double encoded paths.
>>
>>> Regards
>>> Rmkml
>>>
>>>
>>>
>>> -------- Original message -------- Subject: Re: [Oisf-devel] Directory
>>> Traversal not fire when are encoded ? From: Anoop Saldanha To:
>>> rmkml at yahoo.fr CC: Oisf-devel at openinfosecfoundation.org
>>>
>>> Afai see it, it shouldn't fire at all for any of the below cases,
>>> since the ".." should be normalized. The bug would rather be suricata
>>> firing when double encoded, than suricata not firing for the
>>> non-encoded or single encoded case.
>>>
>>> I think the path normalization seems to happen before the second level
>>> of decoding happens on the uri, and maybe that's why it fires with
>>> double encoded uris.
>>>
>>> On Sun, Jul 8, 2012 at 2:56 AM, Rm Kml <rmkml at yahoo.fr> wrote:
>>>> Hi,
>>>>
>>>> First, Congrats All for Suricata v1.3 !
>>>>
>>>> Im continue my testing, and maybe discovered then Suricata not fire when
>>>> dir
>>>> traversal are encoded like this:
>>>>
>>>> GET
>>>>
>>>> /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E//etc/vmware/hostd/vmInventory.xml
>>>> HTTP/1.1
>>>>
>>>> (Thx Nmap Scripting Engine [nse])
>>>>
>>>> Someone confirm this please? (if yes Im open a new redmine ticket)
>>>>
>>>> ok if I create this rule:
>>>> ... content:"../"; http_uri; ...
>>>>
>>>> 1) Suricata fire with "GET /sdk/../..."
>>>>
>>>> 2) Suricata not fire with (simple encoded) "GET /sdk/%2E%2E/..."
>>>>
>>>> 3) Suricata fire with (double encoded) "GET /sdk/%252E%252E%252F..."
>>>>
>>>> Regards
>>>> Rmkml
>>>>
>>>> http://www.twitter.com/rmkml
>>>>
>>>>
>>>> _______________________________________________
>>>> Oisf-devel mailing list
>>>> Oisf-devel at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>>
>>>
>>> --
>>> Anoop Saldanha
>>
>>
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
--
Anoop Saldanha
More information about the Oisf-devel
mailing list