[WEB SECURITY] ../ filtered

Chris Weber chris at casabasec.com
Mon Feb 15 15:07:38 EST 2010


I know you say they’re using ISO (8859-1 presumably), but there still  may be Unicode support internally.  I’d try these variations.

 

Normalization compatibility forms:

U+2024 U+2024 U+FF0F

%E2 %80 %A4 %E2 %80 %A4 %EF %83 %BF

․․/

 

Best-fit mapping Windows-1252 (similar for ISO-8859-1):

U+FF0E U+FF0E U+2215

%EF %BC %8E %EF %BC %8E %E2 %88 %95

..∕

 

UTF-8 overlong: 

U+002E U+002E U+002F

%C0 %AE %C0 %AE %C0 %AF%

../

 

 

-Chris Weber

 

From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Sunday, February 14, 2010 11:43 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] ../ filtered

 

Hi, I need to find a vulnerability in a url that could be exploited for directory traversal and LFI; the page is working with PHP but it is filtering /../ and also /%2e%2e/, because the pace is  using ISO for Latin characters I can't use unicode extended because it reinterpret with other values; is there another way to work around the filter?

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100215/9296f56f/attachment.html>


More information about the websecurity mailing list