[Snort-sigs] SID 1828 change needed

Giles Coochey giles at ...1554...
Mon Jun 9 06:39:07 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 02 June 2003 6:46 pm, Kevin Peuhkurinen wrote:
> Since I, as 'turambar386', posted the original bugtraq advisory on the
> iPlanet search engine file viewing vulnerability, I thought that I would
> write up the documentation for the SID as well, which is SID 1828.
>
> However, I noticed that part of the content that triggers the alert is
> "../../".    My research on the vulnerability proved that it was only
> exploitable using DOS backslashes ("..\..\").
>

However, if you have the http_decode preprocessor running then you will flip 
slashes to forward slashes, no?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+4y4UgSkVLH36ZzoRArcoAJ4hJLwfepBRkJmnh7u71KC4MV2CpACg4QPr
UN5zs93QEiIxZn14bRoIAQU=
=H6xC
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list