[Emerging-Sigs] Bug in lots of references - comma

waldo kitty wkitty42 at windstream.net
Thu Oct 14 15:33:09 EDT 2010


On 10/14/2010 15:15, Matthew Jonkman wrote:
> Thanks for the heads up. Changing what we can, but unfortunately m86 gives you a page not found if you encode.

that's weird that they're 404ing on encoded entities... i note that it is the 
comma being encoded that they are erroring on... this works...

   www.m86security.com/trace/i/Lethic,spambot.1205%7E.asp

i wonder if their redirect stuff is not looking for an encoded comma in addition 
to a plain comma...


FWIW: i only found 16 entries with this problem using the published grep line...

>
> I'll shoot them an email and see what we can work out. Anyone know someone over there?
>
> Matt
>
> On Oct 14, 2010, at 1:21 PM, elof at sentor.se wrote:
>
>>
>> Lots of url references, particularily the ones to m86security are faulty
>> since they contain a comma. This screw up some systems since comma is the
>> separator  (... reference:<id system>,<id>; ...). Also, the comma
>> character is reserved and not allowed in URLs.
>>
>> Ideally, m86security should modify their URLs (not use comma, and probably
>> also stop using the unsafe tilde character (~)), but I don't know the
>> likelyhood of that happening.
>> ...so instead, perhaps ET could simply encode special characters in url
>> references? (see e.g.
>> http://www.blooberry.com/indexdot/html/topics/urlencoding.htm for a list
>> of chars and their encodings)
>>
>> Then this:
>>    reference:url,www.m86security.com/trace/i/Lethic,spambot.1205~.asp;
>> will look like this:
>>    reference:url,www.m86security.com/trace/i/Lethic%2Cspambot.1205%7E.asp;
>> ...and everything will work fine.
>>
>> Scripts dealing with the *.rules won't see any extra commas.
>> m86security don't need to fix their faulty URLs.
>> The encoded URLs work just fine when browsing the resource,
>>
>>
>> Some examples of sids with comma in the url reference:
>> 2010968
>> 2010650
>> 2010651
>> 2010648
>> 2010649
>> 2010646
>> 2010647
>> 2011329
>> 2011287
>> 2011290
>> 2011289
>> 2011288
>> 2009103
>>
>> Please fix these (and more).
>>
>>
>>
>>
>>
>> Oh. Apart from all the m86security references, I found (at least) one
>> other faulty reference:
>>
>> sid:2009103     reference:url,bugtraq,33301;
>>
>> Please fix as well.
>>
>>
>>
>> Note:
>> Run   grep -i 'msg:"ET .*reference:url,[^,;]*,' *.rules   to find faulty references.
>>
>> /Elof
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>



More information about the Emerging-sigs mailing list