Author Topic: URL command leak  (Read 2591 times)

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
URL command leak
« on: May 14, 2002, 12:24:01 PM »
This filter is not confirmed to work!

ScoJo has posted this fileter:

It is possible for URL commands to be leaked through the Referer
header. Bypass.. bweb.. or bout.. a site then click a link, the
referrer will include the commands and your prefix.
This little filter will remove them:

[HTTP headers]
In = FALSE
Out = TRUE
Key = "Referer: Remove URL Commands and Prefix (out)"
Match = "([^:]+:/+)1([^/.]+(..|//))+{1,*}2"
Replace = "12"

ScoJo
Best wishes
Arne
Imici username= Arne

Jor

  • Sr. Member
  • ****
  • Posts: 421
    • ICQ Messenger - 10401286
    • AOL Instant Messenger - jor otf
    • Yahoo Instant Messenger - jor_otf
    • View Profile
    • http://members.outpost10f.com/~jor/
    • Email
URL command leak
« Reply #1 on: May 14, 2002, 07:04:50 PM »
Thanks for posting this filter here Arne

I don't check the Yahoogroup anymore because of all the traffic: this forum has a low enough posting rate for me to read all the posts, something I much prefer, but of course I may miss some filters on the Yahoogroup *L*


Filter is now a part of my permanent config set!

 
 

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
URL command leak
« Reply #2 on: May 14, 2002, 08:35:15 PM »
I hardly read them myself anymore either. Just sometimes. And I am happy that some of our friends here on the board also keep an eye on what new things are made and posted there. It is much easyer when we all keep an eye on things every now and then. I don't have time to read all the postings there either. So all help is appreciated keeping us all up to date.

Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
URL command leak
« Reply #3 on: May 19, 2002, 02:12:52 PM »
Does it work for you?

Here is a site containing nothing but nosey scripts:
http://prx4ever.virtualave.net/ps/

Bypassing it with the filter turned on i still get this:

GET /ps/touko.GIF HTTP/1.0
Accept: */*
Referer: http://"my-prefix"bypass..http://prx4ever.virtualave.net/ps/



 
 

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
URL command leak
« Reply #4 on: May 19, 2002, 03:04:14 PM »
No, I can not confirm that it works. And when I come to think about it I wonder how a filter can work if one bypass all the filters?? I have tried different sites, but no confirm. Anyone?

If not, I will delete this filter.

Best wishes
Arne
Imici username: Arne
Best wishes
Arne
Imici username= Arne

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
URL command leak
« Reply #5 on: May 19, 2002, 03:40:15 PM »
Ok, it actually does work when you are already on the bypassed site and click a link from there.

But that's not that much of a help, especially if you have a referrer filter in place that replaces with something like "http://h/" or "u".

So it's off my config now