There are so many variants to directory traversal vulnerabilities, especially in web servers and other software where encoding and canonicalization is such a factor, that I have seen a number of confusing cases such as this. It definitely helps when the researcher who discovers a new variant specifically references the old variant and says how the underlying problem is different. This doesn't seem to happen too frequently, though, and distinguishing between variants gets much more difficult when it is not known if the vendor has fixed the original variant. In this case, it looks like the programmer introduced what I call a "validate-before-canonicalize" error, for lack of a better term: the software may well strip ".." sequences from the input (the original bug), but the programmer does this cleansing *before* the operation that does the URL decoding (kind of like a new bug - performing operations in the wrong order). As programmers have slowly gotten better about avoiding the obvious directory traversal issues, these "validate-before-canonicalize" errors seem to be cropping up more frequently. - Steve
This archive was generated by hypermail 2b30 : Fri Jun 27 2003 - 13:48:50 PDT