[WEB SECURITY] ../ filtered

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Tue Feb 16 11:18:18 EST 2010

I have two more rare cases that might help, I have seen these only a
couple of times
1. Use a null char or a vertical tab between the .., it might bypass the
filter but the OS interpret it correctly, this works in some windows
systems, but not sure on Linux
2. try absolute paths "folder=/etc/", it is kind of obvious, but I have
see it working a couple of times when logic detects if it is absolute
and pass it as is
Juan Carlos


From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Martes, 16 de Febrero de 2010 08:40 a.m.
To: Shlomi Narkolayev; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ filtered


I tried those already; but they and the ones with ".." are rejected, the
variable is verifying the string before running it and with the

%252e%252e/FILENAME happens this:


The 25s are removed, the so the %2e%2e are left but transformed in pure
text so the page reports that the directory %2e%2e doesn't exist; but if
I apply purely  viewfiles.php?folder=%2e%2e/ the page reject them and
say .. are not allowed.

I Have Learned So much from God That I can no longer Call Myself A
Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so
much of Itself With me That I can no longer call myself A man, a woman,
and angel Or even pure Soul. Love has Befriended Hafiz so completely It
has turned to ash And freed Me Of every concept and image My mind has
ever known. -Hafiz, Persian poet (1315 - 1390) 


From: Shlomi Narkolayev <shlominar at gmail.com>
To: beatrizdrn at yahoo.com; websecurity at webappsec.org
Sent: Tue, February 16, 2010 12:41:16 AM
Subject: RE: [WEB SECURITY] ../ filtered

Try these:

Soon I'll upload to my blog <http://narkolayev-shlomi.blogspot.com/>
new 1400 variants for directory traversal.

Kind Regards,
Narkolayev Shlomi.

From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Monday, February 15, 2010 9:43 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] ../ filtered 


Hi, I need to find a vulnerability in a url that could be exploited for
directory traversal and LFI; the page is working with PHP but it is
filtering /../ and also /%2e%2e/, because the pace is  using ISO for
Latin characters I can't use unicode extended because it reinterpret
with other values; is there another way to work around the filter?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100216/0f83db85/attachment.html>

More information about the websecurity mailing list