Sigint Consulting said: > However we can once again bypass this by including our CR character > before our string like so: > > perl -e 'print "GET \x0d/index.php\x90\x90 HTTP/1.0\n\r\n"'|nc > 192.168.1.3 80 > > No alert is generated from the string above. [...] > We are not sure how much this may buy an attacker as the CR character > may mess up any requests to the webserver, further research is needed > on this. I performed this research while developing NFR's web signatures, and found that all web servers I tested (several years ago) handled end-of-lines using "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that interprets "index.php" in the example above as an actual filename, I for one would be very interested in knowing about it. -- Dodge
Attachment:
pgpiwbxsUDMOe.pgp
Description: PGP signature