Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Report OWASP WAF Naxsi bypass Vulnerability
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 26 Mar 2013 18:47:02 -0400

Tracked through issue 65
(http://code.google.com/p/naxsi/issues/detail?id=65), fixed at
check-in R545 (http://code.google.com/p/naxsi/source/detail?spec=svn545&r=545).

On Mon, Mar 25, 2013 at 10:00 PM,  <safe3q () gmail com> wrote:
OWASP WAF Naxsi bypass Vulnerability

Certain unspecified input is not properly handed in
naxsi_src/naxsi_utils.c naxsi_unescape_uri(u_char **dst, u_char **src,
size_t size, ngx_uint_t type) before being used to filtered. This can
be exploited to bypass some WAF rules.

Naxsi site

All the version

My site

My nick name is Safe3

It happens like that,the naxsi_unescape_uri function process the % url
decode,if the next char after the % is a hex char and not after the
hex char,then it will drop the % and the next char.So if we input a
sql keyword "s%elect",it will come to "slect" instead,this is not the
standard url decode way.Such as the IIS asp,it will process the
"s%elect" as a result of "select",so we can bypass some
WAF rules just like that.

I afford a standard url decode function patch as the follow to fix this issue:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]