|
Dailydave
mailing list archives
Re: New Snort Bypass - Patch - Bypass of Patch
From: Sigint Consulting <info () sigint-consulting com>
Date: Mon, 05 Jun 2006 11:50:18 -0700
Apache 2 ignores any combination of the following bytes before the URI:
0x09 0x0b 0x0c 0x0d 0x20 (man isspace)
If you specify 0x0a before the URI, it causes Apache to truncate the
request, so in most cases this results in the index.html page being
returned. Try your 0x0a example again with a non-index.html URI and it
will still serve up the main page.
HD,
You are correct, the request using \x0a is truncated and index.html is
returned, my apologies. However the \x0d character is still accepted
and the proper page is returned. I cannot confirm on anything except
apache 1.3.34 at the moment.
$ perl -e 'print "GET \x0d/html/1.html HTTP/1.0\n\r\n"'|nc 192.168.1.3
80
HTTP/1.1 200 OK
Date: Wed, 07 Jun 2006 08:42:53 GMT
Server: Apache/1.3.34 (Debian)
Last-Modified: Wed, 07 Jun 2006 08:42:37 GMT
ETag: "6f648-16-4486917d"
Accept-Ranges: bytes
Content-Length: 22
Connection: close
Content-Type: text/html; charset=iso-8859-1
this is a test 1.html
Chris
--------------------------------
www.sigint-consulting.com
info () sigint-consulting com
Charlotte, North Carolina
Information Security Consulting
--------------------------------
 By Date 
By Thread
Current thread:
| 
Intro
