scip_Advisory 3808 - D-Link DIR-100 long url filter evasion

Channel:

Marc Ruef

Subscribers:

3,350

Published on September 8, 2008 8:11:07 AM ● Video Link: https://www.youtube.com/watch?v=WTzPn37XNl4

Duration: 2:03

6,347 views

2

http://www.scip.ch/?vuldb.3808

D-Link DIR-100 is a small and cost-effective router and firewall device for small offices and home users.

Marc Ruef at scip AG found a possibility to evade url filters of the web proxy to prevent access to web sites. An attacker might add a very long string to the url to access web resources althought their access is forbidden. It is possible to exploit the vulnerability with a common web browser by using a long url (approx. 1'300 chars). You can expand the length of the url by adding a non-used http get request parameter.

Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement.

We have informed D-Link on an early stage. Our technical requests were not answered nor confirmed. Therefore, not official statement, patch or upgrade is available. We suggest the use of another device for filtering forbidden web resources successfully.