[ossec-dev] [Bug 65] New: rules/web_rules.xml 31104 blocks CJK

[ossec-bugzilla@xxxxxxxxxxxxxxxxxxxxxxxxxxx]

http://www.ossec.net/bugs/show_bug.cgi?id=65

           Summary: rules/web_rules.xml 31104 blocks CJK
           Product: OSSEC
           Version: 1.3
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P1
         Component: ossec core
        AssignedTo: ossec-dev@xxxxxxxxx
        ReportedBy: ishio@xxxxxxxxxx


in rules/web_rules.xml

  <rule id="31104" level="6">
    <if_sid>31100</if_sid>

    <!-- Attempt to do directory transversal, simple sql injections,
      -  or access to the etc or bin directory (unix). -->
    <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..</url>
    <url>cmd.exe|root.exe|_mem_bin|msadc|/winnt/|</url>
    <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%|</url>
    <url>cat%|exec%|rm%20</url>
    <description>Common web attack.</description>
    <info>http://www.armbrustconsulting.com/LogEntries.html</info>
    <group>attack,</group>
  </rule>


|cd%|
both c and d is hexadecimal chars, so cd% means not only "cd%" but also 0xcd
char in ..%cd%... sequence.
0xcd often appears in multibyte CJK code.
I suggest delete it.


-- 
Configure bugmail: http://www.ossec.net/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.