[WEB SECURITY] ../ filtered

Chris Weber chris at casabasec.com
Wed Feb 17 12:55:26 EST 2010


That’s the Unicode replacement character U+FFFD.  That would tell me there’s internal Unicode handling happening, or a fallback/replacement character statically defined.  How are you testing ?  e.g. through a proxy like Fiddler or Burp, or sending tests through the address bar of your (which?) browser?  

                                                                                                                                                                                                                                                         

 

From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Wednesday, February 17, 2010 7:01 AM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ filtered

 

It gets transformed into: �



 

I Have Learned So much from God That I can no longer Call Myself A Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much of Itself With me That I can no longer call myself A man, a woman, and angel Or even pure Soul. Love has Befriended Hafiz so completely It has turned to ash And freed Me Of every concept and image My mind has ever known. –Hafiz, Persian poet (1315 – 1390)

 

 

  _____  

From: "Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon at ge.com>
To: Beatriz Duran <beatrizdrn at yahoo.com>; websecurity at webappsec.org
Sent: Wed, February 17, 2010 8:33:30 AM
Subject: RE: [WEB SECURITY] ../ filtered

What about the null character? does it breaks the string or it is passed to the OS?

 

Regards,

Juan Carlos

 

  _____  

From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Martes, 16 de Febrero de 2010 04:16 p.m.
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ filtered

The vertical tab is converted to space so you get something like "/. ./" does not exist.

folder=c:\ or folder=/etc/ would not work because the there is a prefixed root so you would get something like: /rootdirectory/etc doesn't exist.





 

I Have Learned So much from God That I can no longer Call Myself A Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much of Itself With me That I can no longer call myself A man, a woman, and angel Or even pure Soul. Love has Befriended Hafiz so completely It has turned to ash And freed Me Of every concept and image My mind has ever known. –Hafiz, Persian poet (1315 – 1390) 

 

 

  _____  

From: "Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon at ge.com>
To: Beatriz Duran <beatrizdrn at yahoo.com>; Shlomi Narkolayev <shlominar at gmail.com>; websecurity at webappsec.org
Sent: Tue, February 16, 2010 10:18:18 AM
Subject: RE: [WEB SECURITY] ../ filtered

I have two more rare cases that might help, I have seen these only a couple of times

 

1. Use a null char or a vertical tab between the .., it might bypass the filter but the OS interpret it correctly, this works in some windows systems, but not sure on Linux

2. try absolute paths "folder=/etc/", it is kind of obvious, but I have see it working a couple of times when logic detects if it is absolute and pass it as is

 

Regards,

Juan Carlos

 

 

  _____  

From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Martes, 16 de Febrero de 2010 08:40 a.m.
To: Shlomi Narkolayev; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] ../ filtered

Shlomi,

I tried those already; but they and the ones with ".." are rejected, the variable is verifying the string before running it and with the combination: 

%252e%252e/FILENAME happens this:

viewfiles.php?folder=%252e%252e/

The 25s are removed, the so the %2e%2e are left but transformed in pure text so the page reports that the directory %2e%2e doesn't exist; but if I apply purely  viewfiles.php?folder=%2e%2e/ the page reject them and say .. are not allowed.






 

I Have Learned So much from God That I can no longer Call Myself A Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much of Itself With me That I can no longer call myself A man, a woman, and angel Or even pure Soul. Love has Befriended Hafiz so completely It has turned to ash And freed Me Of every concept and image My mind has ever known. –Hafiz, Persian poet (1315 – 1390) 

 

 

  _____  

From: Shlomi Narkolayev <shlominar at gmail.com>
To: beatrizdrn at yahoo.com; websecurity at webappsec.org
Sent: Tue, February 16, 2010 12:41:16 AM
Subject: RE: [WEB SECURITY] ../ filtered

Try these:
..%5c..%5cFILENAME
%2e%2e\%2e%2e\FILENAME
..%c0%af..%c0%afFILENAME
..%255c..%255cFILENAME
%252e%252e/FILENAME
..%2f..%2fFILENAME
..%252f..%252fFILENAME


Soon I'll upload to my blog <http://narkolayev-shlomi.blogspot.com/>  new 1400 variants for directory traversal.

Kind Regards,
Narkolayev Shlomi.

 

From: Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Monday, February 15, 2010 9:43 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] ../ filtered 

 

Hi, I need to find a vulnerability in a url that could be exploited for directory traversal and LFI; the page is working with PHP but it is filtering /../ and also /%2e%2e/, because the pace is  using ISO for Latin characters I can't use unicode extended because it reinterpret with other values; is there another way to work around the filter?

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100217/35a7d9d1/attachment.html>


More information about the websecurity mailing list