Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: IPS Evasion with the Apache HTTP Server
From: H D Moore <fdlist () digitaloffense net>
Date: Wed, 20 Jun 2007 09:19:49 -0500

Agreed. The point was that IPS vendors have put a large amount of effort 
into normalizing IIS-specific encodings, but fail to handle 
Apache-specific quirks. 

The note in RFC  2616, Section 4.1, refers to a single CRLF before the 
Request-Line. Prepending multiple CRLFs or non-printable characters (as 
coderman mentioned) falls outside of the RFC and I consider them 
Apache-specific HTTP evasions.

Jamie has a good point about the PHP RFI signatures. Many IPS products 
(sorry, I don't want to pick on any particular vendor) will look for a 
http:// URL to detect RFI attacks. Replacing http with one of the other 
protocol handlers (zip, ftp, file, smb on windows, etc) will evade many 
of these signatures. The php://filter/resource trick is a nice hack for 
evading existing signatures while still using a http URL for the included 
PHP code.


On Wednesday 20 June 2007 08:50, 3APA3A wrote:
You  simply  MUST  accept  the  risk  there  is always the way to
bypass content  filtering. IPS like doesn't protect your network by
itself. IPS is nothing, but a tool.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]