|
|
|
|
Snort Forums Archive
Archive Home » General Security Discussion » Cert Advisory VU#739224
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Cert Advisory VU#739224
Posted by Grimwiz on May 22, 2007 01:04:19
Cert have issued a vulnerability advisory, http://www.kb.cert.org/vuls/id/739224
synopsis here:
HTTP content scanning systems full-width/half-width Unicode encoding bypass
Overview
Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded traffic. This may allow malicious HTTP traffic to bypass content scanning systems.
I. Description
Full-width and half-width encoding is a technique for encoding Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded HTTP traffic. By sending specially-crafted HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass that content scanning system.
II. Impact
A remote, unauthenticated attacker may be able to bypass HTTP content scanning systems.
I assume this just means we have a slight blind spot and this is not able to be further leveraged into a stack overflow (... leading to the usual culprits of DOS or code execution)
Can anyone confirm? |
|
Posted by mguiterman on May 22, 2007 09:11:26
You are correct - it's an evasion. Snort v2.6.1.5 is not affected. |
|
Posted by edan on May 24, 2007 00:03:53
Can you please explain exactly what snort is doing to handle this?
Are all versions of snort unaffected, or only 2.6.1.5 as you note? If it was recently patched/fixed, again, please describe how?
Thanks |
|
|
|
|
|
