Brett, On Sun, Nov 23, 2008 at 7:51 PM, Brett Moore <[EMAIL PROTECTED]> wrote: > Hi.. Long time listener, first time poster.
Long time fan of your work, first time I say it ;) >> I agree with José, that w3af isn't an vulnerability explotation >> framework so it may be out of the scope of the project. > > Andres >>Ok, I'm going to follow your advice and I won't add this feature to >>the framework. Thanks for your comments and help! > > Perhaps what is required is some definitive guidelines around what the > framework intends to be. I agree that it is not an exploitation > framework, such as metasploit, but it is a vulnerability detection > framework. Isn't it? Well, w3af detects the web application vulnerabilities and exploits them. It's different from metasploit/canvas/impact in many ways. The most important one is that we don't exploit "apache" vulnerabilities like format strings and buffer overflows, w3af exploits the web application vulnerabilities. > W3AF attempts to detect vulnerabilities in web applications, such as > XSS, SQL injection (bypassing addslashes etc) , .htaccess bypass > (through HEAD vs GET vs POST), auth bypass through page guessing, and > case sensitive checks etc.. > > So why would you not want it to detect shell command execution filter > bypass using this vulnerability, or any other char encoding methods? > > By the sounds of it, it will take longer to debate this than it would > to implement it. And implementing it would make the framework stronger. Sure, adding this feature will take me something like 2 minutes, but the debate is important, because we have to define what we want from the project, and what the limits are. This particular subject is just sitting on the line that separates what we have been doing from what we haven't. I've sent an email to the original vulnerability finder, to ask some things like "how many installations of PHP with the buggy PHP version are actually vulnerable?" (please remember that the console needs to be configured to support multibyte chars). And I failed to get an answer. Any of you know Stephan Esser and can remember him that I sent him an email? Brett, thanks for your time =) Cheers, > Brett > > > -----Original Message----- > From: Andres Riancho [mailto:[EMAIL PROTECTED] > Sent: Monday, 24 November 2008 10:39 a.m. > To: [EMAIL PROTECTED] > Cc: w3af-develop@lists.sourceforge.net > Subject: Re: [W3af-develop] Advisory SE-2008-03: PHP Multibyte Shell Command > Escaping Bypass Vulnerability > > Taras, Jose, > > On Sun, Nov 23, 2008 at 7:31 PM, Taras P. Ivashchenko > <[EMAIL PROTECTED]> wrote: >> Andres, >>> But this isn't a buffer overflow, a format string, or something like >>> that, the only thing that I have to add is a 0xc0 char in front of >>> every character that would be normally escaped ( ; | & and some others >>> ). And by "exploiting" this vulnerability, w3af would be bypassing a >>> filter, like the ones that w3af bypasses when "fighting back" >>> gpc_magic_quotes in SQL injection exploitation. >> >> Yes, but gpc_magic_quotes is PHP specific option (for all versions >> before 6). >> And bypassing is specific security issue in PHP of specific versions on >> specific platforms (locales). >> >> I agree with José, that w3af isn't an vulnerability explotation >> framework so it may be out of the scope of the project. > > Ok, I'm going to follow your advice and I won't add this feature to > the framework. Thanks for your comments and help! > > Cheers, > >> -- >> Тарас Иващенко (Taras Ivashchenko), OSCP >> www.securityaudit.ru >> ---- >> "Software is like sex: it's better when it's free." - Linus Torvalds >> > > > > -- > Andres Riancho > http://w3af.sourceforge.net/ > Web Application Attack and Audit Framework > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
