Stefano, On Tue, Jun 2, 2009 at 3:45 PM, Stefano Di Paola <wi...@wisec.it> wrote: > Hi Andres, > good finding, but if you were subscribed to my blog > http://www.wisec.it/sectou.php > you'd see that I wrote about it a couple of years ago: > http://www.wisec.it/sectou.php?id=4698ebdc59d15
hehe, nice! > Obviously I'm just kidding, =) > every research is good research when you > find it by yourself. Well... I think that my email was mis-interpreted (by many people, so I think that it was my problem). I didn't implied that I found this "new" technique, I just wanted to say that I (Andrés Riancho) found out about it. I actually got this technique from a commercial web app sec scanner that I was analyzing :) I'm in the process of starting to write a w3af plugin to exploit this issue, do you know if there is any previous research / paper / something done around this vulnerability that I should quote in the plugin source code? (other than yours) > BTW that finding gave me the chance to find an Xss > and response splitting on Apache: > http://www.mindedsecurity.com/MSA01150108.html Nice finding, but kind of hard to exploit in real life. > and _I think_ it's still marked as "won't fix". That sucks :S Cheers, > Cheers, > Stefano > > Il giorno mar, 02/06/2009 alle 10.10 -0300, Andres Riancho ha scritto: >> List, >> >> Yesterday I found out a new trick, and I would like to share it with you >> ;) >> >> HTTP Request >> ======== >> >> GET /backup HTTP/1.0 >> Accept: foobar/xyz >> User-Agent: w3af >> Host: 192.168.150.2 >> Connection: Close >> >> HTTP Response >> ========= >> >> HTTP/1.1 406 Not Acceptable >> ... >> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >> <html><head> >> <title>406 Not Acceptable</title> >> </head><body> >> <h1>Not Acceptable</h1> >> <p>An appropriate representation of the requested resource /backup >> could not be found on this server.</p> >> Available variants: >> <ul> >> <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li> >> <li><a href="backup.zip">backup.zip</a> , type application/zip</li> >> </ul> >> <hr> >> <address>Apache/2.2.8 (Ubuntu) DAV/2 mod_python/3.3.1 Python/2.5.2 >> PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g >> Server at 192.168.150.2 Port 80</address> >> </body></html> >> >> In the response, please note these lines: >> >> <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li> >> <li><a href="backup.zip">backup.zip</a> , type application/zip</li> >> >> And if we go to the webroot to verify... >> >> d...@brick:/var/www$ ls -la | grep backup >> -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:02 backup.tgz >> -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:03 backup.zip >> d...@brick:/var/www$ >> >> This trick is really useful when finding (for example) backup files, >> because you won't need to ask for backup.zip, backup.7z, backup.bzip2, >> backup.tar.gz , etc. You just ask apache for the backup file, with an >> incorrect Accept header (please note Accept: foobar/xyz) and that's >> it, a list of given back to you. >> >> If this ain't new for you, sorry, but it was new for me =) >> >> I'm still thinking how I can use this trick in w3af, because I may use >> it as part of a discovery plugin, or maybe as an audit plugin that >> finds this as a vulnerability, and code an attack plugin that can >> exploit it to bruteforce new resources... hmmm... I still have to >> think. What do you guys think? >> >> Cheers, > > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
