<object>...: Toggle Flash 09.07.04 (ccw! !nn) [jd sd] (d.2 l.2)
|
Apr. 14, 2010, 04:34 PM
(This post was last modified: Apr. 15, 2010 02:06 PM by JJoe.)
Post: #1
|
|||
|
|||
<object>...: Toggle Flash 09.07.04 (ccw! !nn) [jd sd] (d.2 l.2)
The Match
Quote:($TST(script=1*)(*</script)+{1,*}(^*<script)$SET(script=) I have seen an odd 404. Changing \\x to \x has fixed it but.... Later Edit: Removed Test filter and some code. |
|||
Apr. 15, 2010, 05:05 AM
Post: #2
|
|||
|
|||
RE: <object>...: Toggle Flash 09.07.04 (ccw! !nn) [jd sd] (d.2 l.2)
(Apr. 14, 2010 04:34 PM)JJoe Wrote: ...I have seen an odd 404. Changing \\x to \x has fixed it but.... But what? I don't understand the filter and javascript but I do see 22 is the hex value for " and 27 for '. Maybe \xnn works in javascript to represent the character with the hex value nn? On the other hand, \x has a special meaning in the replacement text which refers to the URL command prefix. I guess that's why the filter add a backslash to suppress the special meaning of the follwing \. |
|||
Apr. 15, 2010, 02:02 PM
Post: #3
|
|||
|
|||
RE: <object>...: Toggle Flash 09.07.04 (ccw! !nn) [jd sd] (d.2 l.2)
(Apr. 15, 2010 05:05 AM)whenever Wrote: But what? Mostly what you said and I was out of time. The 404 addresses have http://local.ptron/killed.gif added to them. I thought the extra \ might be a typo and the filter might be off but I think not now. Ah, it may be browser bug for Firefox. (Apr. 15, 2010 05:05 AM)whenever Wrote: Maybe \xnn works in javascript to represent the character with the hex value nn?Maybe not for Firefox 3.6.2. Firefox 3.6.2 and http://www.cbssports.com/nba/scoreboard for the curious. I will have to chase it later... Thanks |
|||
Apr. 15, 2010, 08:46 PM
Post: #4
|
|||
|
|||
RE: <object>...: Toggle Flash 09.07.04 (ccw! !nn) [jd sd] (d.2 l.2)
(Apr. 15, 2010 02:02 PM)JJoe Wrote: I will have to chase it later... It doesn't always happen but when it does http://local.ptron/.pinfo/urls/ shows: Code: Closed 672 404 text/html 17856 http://www.cbssports.com/nba/%5Cx22http://local.ptron/killed.gif%5Cx22 http://www.cbssports.com/nba/+image_server+ is also a mistake, I think. With Firefox only, so far. |
|||
May. 24, 2010, 09:18 PM
(This post was last modified: May. 24, 2010 09:19 PM by sidki3003.)
Post: #5
|
|||
|
|||
RE: <object>...: Toggle Flash 09.07.04 (ccw! !nn) [jd sd] (d.2 l.2)
Yes, it has to be a double backslash. The respective line in the original filter is:
Code: |$TST(script=*)($TST(\1=\")$SET(1=\\x22)|$TST(\1=\')$SET(1=\\x27)) And yep, \x22 and \x27 are supposed to stand for double quote and single quote, respectively. Hex representation has shown to be more robust on injection than the escaped notation. |
|||
« Next Oldest | Next Newest »
|