[WEB SECURITY] ../ filtered

Beatriz Duran beatrizdrn at yahoo.com
Tue Feb 16 17:16:21 EST 2010


The vertical tab is converted to space so you get something like "/. ./" does not exist.

folder=c:\ or folder=/etc/ would not work because the there is a prefixed root so you would get something like: /rootdirectory/etc doesn't exist.





 I    Have    Learned    So much from God    That I can no longer    Call    Myself A Christian, a Hindu, a Muslim    A Buddhist, a Jew.    The Truth has shared so much of Itself   With me  That I can no longer call myself     A man, a woman, and angel    Or even pure    Soul.   Love has    Befriended Hafiz so completely    It has turned to ash    And freed    Me    Of every concept and image    My mind has ever known. –Hafiz, Persian poet (1315 – 1390)




________________________________
From: "Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon at ge.com>
To: Beatriz Duran <beatrizdrn at yahoo.com>; Shlomi Narkolayev <shlominar at gmail.com>; websecurity at webappsec.org
Sent: Tue, February 16, 2010 10:18:18 AM
Subject: RE: [WEB SECURITY] ../ filtered

 
I have two more rare cases that might help, I have seen 
these only a couple of times
 
1. Use a null char or a vertical tab between the .., it 
might bypass the filter but the OS interpret it correctly, this works in some 
windows systems, but not sure on Linux
2. try absolute paths "folder=/etc/", it is kind of 
obvious, but I have see it working a couple of times when logic detects if 
it is absolute and pass it as is
 
Regards,
Juan Carlos
 


________________________________
 From: Beatriz Duran 
[mailto:beatrizdrn at yahoo.com] 
Sent: Martes, 16 de Febrero de 2010 
08:40 a.m.
To: Shlomi Narkolayev; 
websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ 
filtered


Shlomi,

I 
tried those already; but they and the ones with ".." are rejected, the variable 
is verifying the string before running it and with the combination: 

%252e%252e/FILENAME happens 
this:

viewfiles.php?folder=%252e%252e/

The 25s are removed, the so 
the %2e%2e are left but transformed in pure text so the page reports that the 
directory %2e%2e doesn't exist; but if I apply purely  
viewfiles.php?folder=%2e%2e/ the page reject them and say .. are not 
allowed.






 I Have Learned So much from God That I can no longer Call 
Myself A Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so 
much of Itself With me That I can no longer call myself A man, a woman, and 
angel Or even pure Soul. Love has Befriended Hafiz so completely It has turned 
to ash And freed Me Of every concept and image My mind has ever known. –Hafiz, 
Persian poet (1315 – 1390) 




________________________________
 From: Shlomi Narkolayev 
<shlominar at gmail.com>
To: beatrizdrn at yahoo.com; websecurity at webappsec.org
Sent: Tue, February 16, 2010 12:41:16 
AM
Subject: RE: [WEB SECURITY] 
../ filtered


Try 
these:
..%5c..%5cFILENAME
%2e%2e\%2e%2e\FILENAME
..%c0%af..%c0%afFILENAME
..%255c..%255cFILENAME
%252e%252e/FILENAME
..%2f..%2fFILENAME
..%252f..%252fFILENAME


Soon 
I'll upload to my blog new 1400 variants for directory traversal.

Kind Regards,
Narkolayev Shlomi.

  

From:Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Monday, February 15, 2010 9:43 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] ../ filtered 
 
Hi, I need to find a vulnerability 
in a url that could be exploited for directory traversal and LFI; the page is 
working with PHP but it is filtering /../ and also /%2e%2e/, because the pace 
is  using ISO for Latin characters I can't use unicode extended because it 
reinterpret with other values; is there another way to work around the 
filter?


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100216/50be2d2f/attachment.html>


More information about the websecurity mailing list