[WEB SECURITY] ../ filtered

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Wed Feb 17 09:33:30 EST 2010


What about the null character? does it breaks the string or it is passed
to the OS?
 
Regards,
Juan Carlos

________________________________

From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Martes, 16 de Febrero de 2010 04:16 p.m.
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ filtered


The vertical tab is converted to space so you get something like "/. ./"
does not exist.

folder=c:\ or folder=/etc/ would not work because the there is a
prefixed root so you would get something like: /rootdirectory/etc
doesn't exist.





 
I Have Learned So much from God That I can no longer Call Myself A
Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so
much of Itself With me That I can no longer call myself A man, a woman,
and angel Or even pure Soul. Love has Befriended Hafiz so completely It
has turned to ash And freed Me Of every concept and image My mind has
ever known. -Hafiz, Persian poet (1315 - 1390) 


________________________________

From: "Calderon, Juan Carlos (GE, Corporate, consultant)"
<juan.calderon at ge.com>
To: Beatriz Duran <beatrizdrn at yahoo.com>; Shlomi Narkolayev
<shlominar at gmail.com>; websecurity at webappsec.org
Sent: Tue, February 16, 2010 10:18:18 AM
Subject: RE: [WEB SECURITY] ../ filtered


I have two more rare cases that might help, I have seen these only a
couple of times
 
1. Use a null char or a vertical tab between the .., it might bypass the
filter but the OS interpret it correctly, this works in some windows
systems, but not sure on Linux
2. try absolute paths "folder=/etc/", it is kind of obvious, but I have
see it working a couple of times when logic detects if it is absolute
and pass it as is
 
Regards,
Juan Carlos
 

________________________________

From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Martes, 16 de Febrero de 2010 08:40 a.m.
To: Shlomi Narkolayev; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ filtered


Shlomi,

I tried those already; but they and the ones with ".." are rejected, the
variable is verifying the string before running it and with the
combination: 

%252e%252e/FILENAME happens this:

viewfiles.php?folder=%252e%252e/

The 25s are removed, the so the %2e%2e are left but transformed in pure
text so the page reports that the directory %2e%2e doesn't exist; but if
I apply purely  viewfiles.php?folder=%2e%2e/ the page reject them and
say .. are not allowed.






 
I Have Learned So much from God That I can no longer Call Myself A
Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so
much of Itself With me That I can no longer call myself A man, a woman,
and angel Or even pure Soul. Love has Befriended Hafiz so completely It
has turned to ash And freed Me Of every concept and image My mind has
ever known. -Hafiz, Persian poet (1315 - 1390) 


________________________________

From: Shlomi Narkolayev <shlominar at gmail.com>
To: beatrizdrn at yahoo.com; websecurity at webappsec.org
Sent: Tue, February 16, 2010 12:41:16 AM
Subject: RE: [WEB SECURITY] ../ filtered


Try these:
..%5c..%5cFILENAME
%2e%2e\%2e%2e\FILENAME
..%c0%af..%c0%afFILENAME
..%255c..%255cFILENAME
%252e%252e/FILENAME
..%2f..%2fFILENAME
..%252f..%252fFILENAME


Soon I'll upload to my blog <http://narkolayev-shlomi.blogspot.com/>
new 1400 variants for directory traversal.

Kind Regards,
Narkolayev Shlomi.






From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Monday, February 15, 2010 9:43 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] ../ filtered 

 

Hi, I need to find a vulnerability in a url that could be exploited for
directory traversal and LFI; the page is working with PHP but it is
filtering /../ and also /%2e%2e/, because the pace is  using ISO for
Latin characters I can't use unicode extended because it reinterpret
with other values; is there another way to work around the filter?

 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100217/d7321b2b/attachment.html>


More information about the websecurity mailing list