Hi.. Long time listener, first time poster. > I agree with José, that w3af isn't an vulnerability explotation > framework so it may be out of the scope of the project.
Andres >Ok, I'm going to follow your advice and I won't add this feature to >the framework. Thanks for your comments and help! Perhaps what is required is some definitive guidelines around what the framework intends to be. I agree that it is not an exploitation framework, such as metasploit, but it is a vulnerability detection framework. Isn't it? W3AF attempts to detect vulnerabilities in web applications, such as XSS, SQL injection (bypassing addslashes etc) , .htaccess bypass (through HEAD vs GET vs POST), auth bypass through page guessing, and case sensitive checks etc.. So why would you not want it to detect shell command execution filter bypass using this vulnerability, or any other char encoding methods? By the sounds of it, it will take longer to debate this than it would to implement it. And implementing it would make the framework stronger. Brett -----Original Message----- From: Andres Riancho [mailto:[EMAIL PROTECTED] Sent: Monday, 24 November 2008 10:39 a.m. To: [EMAIL PROTECTED] Cc: w3af-develop@lists.sourceforge.net Subject: Re: [W3af-develop] Advisory SE-2008-03: PHP Multibyte Shell Command Escaping Bypass Vulnerability Taras, Jose, On Sun, Nov 23, 2008 at 7:31 PM, Taras P. Ivashchenko <[EMAIL PROTECTED]> wrote: > Andres, >> But this isn't a buffer overflow, a format string, or something like >> that, the only thing that I have to add is a 0xc0 char in front of >> every character that would be normally escaped ( ; | & and some others >> ). And by "exploiting" this vulnerability, w3af would be bypassing a >> filter, like the ones that w3af bypasses when "fighting back" >> gpc_magic_quotes in SQL injection exploitation. > > Yes, but gpc_magic_quotes is PHP specific option (for all versions > before 6). > And bypassing is specific security issue in PHP of specific versions on > specific platforms (locales). > > I agree with José, that w3af isn't an vulnerability explotation > framework so it may be out of the scope of the project. Ok, I'm going to follow your advice and I won't add this feature to the framework. Thanks for your comments and help! Cheers, > -- > Тарас Иващенко (Taras Ivashchenko), OSCP > www.securityaudit.ru > ---- > "Software is like sex: it's better when it's free." - Linus Torvalds > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
