Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Apache mod_rewrite off-by-one sig

from [Jon Hart] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Apache mod_rewrite off-by-one sig
Date: Mon, 31 Jul 2006 19:53:02 -0700 
On Mon, Jul 31, 2006 at 09:12:52PM -0400, Joel Esler wrote:

Jon,

Anyway you can provide a packet capture?  Or perhaps fill in an offset/depth 
for that content match at least?


I can't.  The way I understand the prerequisites of the vulnerability is
that you have to have a rewrite rule similar to:

RewriteRule ^/blah(.*) $1/some/stuff/that/doesntmatter/

I actually can't think of any good reason to give a user control over
the very first part of the rewrite target, but alas, there may be a good
reason and there are plenty of bad rewrite rules out there.

Anyway...

That said, the exploit for this particular vulnerability depends
entirely on the RewriteRule being attacked, so the best we can hope for
is looking for ldap:// in the uri.  Actually, I suppose it is possible
that the exploit could come not in the form of a URI, but really
anywhere in the request as mod_rewrite can base its actions on damn near
anything.

-jon

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] Apache mod_rewrite off-by-one sig, Joel Esler
Next by Date:  Re: [Snort-sigs] Question on function of "within" command, Joel Esler
Previous by Thread:  Re: [Snort-sigs] Apache mod_rewrite off-by-one sig, Joel Esler
Indexes:  [Date] [Thread] [Top] [All Lists]