[WEB SECURITY] ../ filtered

Beatriz Duran beatrizdrn at yahoo.com
Wed Feb 17 15:07:18 EST 2010


Trough the address bar and also direct telnet to port 80; no proxy in the middle at least not from my site;


 I Have Learned So much from God That I can no longer Call Myself A Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much of Itself With me That I can no longer call myself A man, a woman, and angel Or even pure Soul. Love has Befriended Hafiz so completely It has turned to ash And freed Me Of every concept and image My mind has ever known. –Hafiz, Persian poet (1315 – 1390) 




________________________________
From: Chris Weber <chris at casabasec.com>
To: Beatriz Duran <beatrizdrn at yahoo.com>; websecurity at webappsec.org
Sent: Wed, February 17, 2010 11:55:26 AM
Subject: RE: [WEB SECURITY] ../ filtered


That’s the Unicode replacement character U+FFFD.  That would tell me there’s internal Unicode handling happening, or a fallback/replacement character statically defined.  How are you testing ?  e.g. through a proxy like Fiddler or Burp, or sending tests through the address bar of your (which?) browser?  
                                                                                                                                                                                                                                                         
 
From:Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Wednesday, February 17, 2010 7:01 AM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ filtered
 
It gets transformed into: �


 
I Have Learned So much from God That I can no longer Call Myself A Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much of Itself With me That I can no longer call myself A man, a woman, and angel Or even pure Soul. Love has Befriended Hafiz so completely It has turned to ash And freed Me Of every concept and image My mind has ever known. –Hafiz, Persian poet (1315 – 1390)
 
 

________________________________

From:"Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon at ge.com>
To: Beatriz Duran <beatrizdrn at yahoo.com>; websecurity at webappsec.org
Sent: Wed, February 17, 2010 8:33:30 AM
Subject: RE: [WEB SECURITY] ../ filtered
What about the null character? does it breaks the string or it is passed to the OS?
 
Regards,
Juan Carlos
 

________________________________

From:Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Martes, 16 de Febrero de 2010 04:16 p.m.
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ filtered
The vertical tab is converted to space so you get something like "/. ./" does not exist.

folder=c:\ or folder=/etc/ would not work because the there is a prefixed root so you would get something like: /rootdirectory/etc doesn't exist.




 
I Have Learned So much from God That I can no longer Call Myself A Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much of Itself With me That I can no longer call myself A man, a woman, and angel Or even pure Soul. Love has Befriended Hafiz so completely It has turned to ash And freed Me Of every concept and image My mind has ever known. –Hafiz, Persian poet (1315 – 1390) 
 
 

________________________________

From:"Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon at ge.com>
To: Beatriz Duran <beatrizdrn at yahoo.com>; Shlomi Narkolayev <shlominar at gmail.com>; websecurity at webappsec.org
Sent: Tue, February 16, 2010 10:18:18 AM
Subject: RE: [WEB SECURITY] ../ filtered
I have two more rare cases that might help, I have seen these only a couple of times
 
1. Use a null char or a vertical tab between the .., it might bypass the filter but the OS interpret it correctly, this works in some windows systems, but not sure on Linux
2. try absolute paths "folder=/etc/", it is kind of obvious, but I have see it working a couple of times when logic detects if it is absolute and pass it as is
 
Regards,
Juan Carlos
 
 

________________________________

From:Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Martes, 16 de Febrero de 2010 08:40 a.m.
To: Shlomi Narkolayev; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ filtered
Shlomi,

I tried those already; but they and the ones with ".." are rejected, the variable is verifying the string before running it and with the combination: 

%252e%252e/FILENAME happens this:

viewfiles.php?folder=%252e%252e/

The 25s are removed, the so the %2e%2e are left but transformed in pure text so the page reports that the directory %2e%2e doesn't exist; but if I apply purely  viewfiles.php?folder=%2e%2e/ the page reject them and say .. are not allowed.





 
I Have Learned So much from God That I can no longer Call Myself A Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much of Itself With me That I can no longer call myself A man, a woman, and angel Or even pure Soul. Love has Befriended Hafiz so completely It has turned to ash And freed Me Of every concept and image My mind has ever known. –Hafiz, Persian poet (1315 – 1390) 
 
 

________________________________

From:Shlomi Narkolayev <shlominar at gmail.com>
To: beatrizdrn at yahoo.com; websecurity at webappsec.org
Sent: Tue, February 16, 2010 12:41:16 AM
Subject: RE: [WEB SECURITY] ../ filtered
Try these:
..%5c..%5cFILENAME
%2e%2e\%2e%2e\FILENAME
..%c0%af..%c0%afFILENAME
..%255c..%255cFILENAME
%252e%252e/FILENAME
..%2f..%2fFILENAME
..%252f..%252fFILENAME


Soon I'll upload to my blog new 1400 variants for directory traversal.

Kind Regards,
Narkolayev Shlomi.
 
From:Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Monday, February 15, 2010 9:43 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] ../ filtered
 
Hi, I need to find a vulnerability in a url that could be exploited for directory traversal and LFI; the page is working with PHP but it is filtering /../ and also /%2e%2e/, because the pace is  using ISO for Latin characters I can't use unicode extended because it reinterpret with other values; is there another way to work around the filter?


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100217/1136370b/attachment.html>


More information about the websecurity mailing list