Re: thttpd-2.24

From: Nicob (nicob_at_nicob.net)
Date: 11/14/03

Next message: Martin Fallon: "KDE 3.1 - Suse 8.2 - kdeglobals world writable"

Previous message: xenophi1e: "Reversing Code Coverage Tool"
In reply to: Byron Sonne: "Re: thttpd-2.24"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln-dev@securityfocus.com
Date: Fri, 14 Nov 2003 12:10:16 +0100

On Mon, 2003-11-10 at 08:50, Byron Sonne wrote:

> If this '/' is always supposed to be present (i.e. by protocol or spec)
> than one could assume it is not hugely relevant (it acts as a delimeter)
> so somehwere some code eliminates it, and generalized it as simply
> 'remove the first character' instead of 'check for a slash and remove it
> if present'.

And this can be used to avoid signature-based IDS when attacking thttpd.
For example, requests like "GET .cgi-bin/phf HTTP/1.0" will not be
detected as attacks if the IDS sig is the exact string "/cgi-bin/phf".

-- 
Nicob <nicob@nicob.net>

Next message: Martin Fallon: "KDE 3.1 - Suse 8.2 - kdeglobals world writable"

Previous message: xenophi1e: "Reversing Code Coverage Tool"
In reply to: Byron Sonne: "Re: thttpd-2.24"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]