Andres Riancho wrote: > Stefano, > > On Tue, Jun 2, 2009 at 3:45 PM, Stefano Di Paola <[email protected]> wrote: >> Hi Andres, >> good finding, but if you were subscribed to my blog >> http://www.wisec.it/sectou.php >> you'd see that I wrote about it a couple of years ago: >> http://www.wisec.it/sectou.php?id=4698ebdc59d15 Stefano: Excellent. I've got another blog to add to my RSS reader.
Sorry about missing your posting. I've updated my posting to link to your _much_ earlier post. Its not that surprising that there is prior-art. There goes my software patent. =) http://appseclive.org/content/grudge-match-apaches-modnegotiation-vs-modspeling > > hehe, nice! > >> Obviously I'm just kidding, > > =) > >> every research is good research when you >> find it by yourself. > > Well... I think that my email was mis-interpreted (by many people, so > I think that it was my problem). I didn't implied that I found this > "new" technique, I just wanted to say that I (Andrés Riancho) found > out about it. I actually got this technique from a commercial web app > sec scanner that I was analyzing :) Andres: If it makes you feel any better, I _never_ thought you were saying this was new to the world - just something you recently found yourself while working on w3af. > > I'm in the process of starting to write a w3af plugin to exploit this > issue, do you know if there is any previous research / paper / > something done around this vulnerability that I should quote in the > plugin source code? (other than yours) > >> BTW that finding gave me the chance to find an Xss >> and response splitting on Apache: >> http://www.mindedsecurity.com/MSA01150108.html > > Nice finding, but kind of hard to exploit in real life. > >> and _I think_ it's still marked as "won't fix". I'm not all that surprised, unfortunately. > > That sucks :S > > Cheers, > >> Cheers, >> Stefano >> >> Il giorno mar, 02/06/2009 alle 10.10 -0300, Andres Riancho ha scritto: >>> List, >>> >>> Yesterday I found out a new trick, and I would like to share it with >>> you ;) >>> >>> HTTP Request >>> ======== >>> >>> GET /backup HTTP/1.0 >>> Accept: foobar/xyz >>> User-Agent: w3af >>> Host: 192.168.150.2 >>> Connection: Close >>> >>> HTTP Response >>> ========= >>> >>> HTTP/1.1 406 Not Acceptable >>> ... >>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >>> <html><head> >>> <title>406 Not Acceptable</title> >>> </head><body> >>> <h1>Not Acceptable</h1> >>> <p>An appropriate representation of the requested resource /backup >>> could not be found on this server.</p> >>> Available variants: >>> <ul> >>> <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li> >>> <li><a href="backup.zip">backup.zip</a> , type application/zip</li> >>> </ul> >>> <hr> >>> <address>Apache/2.2.8 (Ubuntu) DAV/2 mod_python/3.3.1 Python/2.5.2 >>> PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g >>> Server at 192.168.150.2 Port 80</address> >>> </body></html> >>> >>> In the response, please note these lines: >>> >>> <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li> >>> <li><a href="backup.zip">backup.zip</a> , type application/zip</li> >>> >>> And if we go to the webroot to verify... >>> >>> d...@brick:/var/www$ ls -la | grep backup >>> -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:02 backup.tgz >>> -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:03 backup.zip >>> d...@brick:/var/www$ >>> >>> This trick is really useful when finding (for example) backup files, >>> because you won't need to ask for backup.zip, backup.7z, backup.bzip2, >>> backup.tar.gz , etc. You just ask apache for the backup file, with an >>> incorrect Accept header (please note Accept: foobar/xyz) and that's >>> it, a list of given back to you. >>> >>> If this ain't new for you, sorry, but it was new for me =) >>> >>> I'm still thinking how I can use this trick in w3af, because I may use >>> it as part of a discovery plugin, or maybe as an audit plugin that >>> finds this as a vulnerability, and code an attack plugin that can >>> exploit it to bruteforce new resources... hmmm... I still have to >>> think. What do you guys think? >>> >>> Cheers, >> > -- Matt Tesauro OWASP Live CD Project Lead http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project http://AppSecLive.org - Community and Download site ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
