[Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts

• Previous message: Ciaran McCreesh: "[Full-Disclosure] Re: Fwd: Re: [USN-52-1] vim vulnerability"
• In reply to: Paul Laudanski: "[Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 26 Dec 2004 01:33:10 -0500 (EST)
To: bugs@securitytracker.com, <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, <moderators@osvdb.org>, <news@securiteam.com>, <vuln@secunia.com>, <vulnwatch@vulnwatch.org>

On Sat, 25 Dec 2004, Paul Laudanski wrote:

> [code]
> SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
> SecFilter ":/"
> [/code]
>
> Just in case the URL changes, the latter should still get all sorts of:
>
> http://
> ftp://
>
> Naturally, the latter also filters on
>
> %3a%2f

I've been noticing some filters out there that may be a little too all
encompassing. Just giving a heads up.

http://castlecops.com/article-5640-nested-0-0.html

[quote]
I've seen some folks filtering the echr or esystem from the GET requests.
This is flawed, because they are often times preceded by

%2525echr(x)

Where x is any character.

This turns into

%.chr(x)

Which is a concatenation in PHP, and the chr is a function call from php:

http://php.net/chr

So filtering on echr or esystem is not valid, as e is part of the
hexadecimal code, and simply put, it can be replaced with another hex
code, then the echr filter would not match.

Filtering then on chr doesn't work either, because you can multiple false
positive matches:

chris
christmas
christ
etc

Instead of focusing on the good characters, you need to focus on the bad
characters like the tick mark.
[/quote]

>
> No Warranty
> -----------
> ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES ARE PROVIDED
> "AS IS" WITHOUT WARRANTY OF ANY KIND. CASTLECOPS, ITS AFFILIATES,
> AND/OR THEIR RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES
> AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS,
> AND SERVICES, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF
> MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND
> NONINFRINGEMENT. http://castlecops.com/article1.html

-- 
Regards,
Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Ciaran McCreesh: "[Full-Disclosure] Re: Fwd: Re: [USN-52-1] vim vulnerability"
• In reply to: Paul Laudanski: "[Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: tcp handshake and InternetOpenURL ... This posting is provided "AS IS" with no warranties, and confers no ... rights. ... filtering by HTTP protocol. ... (microsoft.public.win32.programmer.networks) Re: Password rule on solaris ... OK, this followup is slightly offtopic, but anyway, here I go: ... In article, Jimmy wrote: ... > At least four different characters. ... filtering for that has about as much chance as filtering for all ... (comp.unix.solaris) Re: Persecution nuisance ... filtering because it will aslo screen out any and all other participants in ... "Remove any subject line that contains a string of characters ... I really should tweak it to catch MI5 as well (no extra characters) ... (rec.sport.curling) a way to add the windows return character ... characters, with UNIX commands. ... It'd be the opposite of using "col" ... (Tru64-UNIX-Managers) Re: ClientDataSet problem ... using their characters in field used for filtering. ... not functioning anymore. ... If customer is using data with normal latin charcters everything is ... (alt.comp.lang.borland-delphi)