The Flicks Titan application firewall for IIS has a vulnerability in the url inspection allowing it to be easily bypassed.
c9ae3c7cec218aa4c0a512ca5aab4dada76da541b52fcc647bd0702fc4ea36a6
I originally sent this message to bugtraq, but they did not post
it. Instead they stuck it in their vulnerability database and
removed all of my comments and example. So much for full disclosure...
Flicks Software just released a product named Titan[1]. It is
described as an application firewall (i.e., it is an ISAPI filter for
IIS that can do varying levels of protocol inspection). One of the
features allows a user to filter on patterns within the URL for things
such as cmd.exe.
The problem is the guys at Flicks obviously don't understand web
security (which is scary because they have been developing AuthentiX
for some time now, not to mention the version of Titan I had was 5.5a7,
I am baffled at how a 5th major revision piece of software can be so
fundamentally broken).
I started off by placing cmd.exe into an executeable folder on my
web server and enabling the Titan security. As expected, I received
an error message when attempting to access the file. I then proceeded
to try a trick my little sister showed me. I URL encoded some of
the characters in the URL like so:
http://www.example.com/scripts/cmd%2Eexe?/C+dir+c:%5C
Would you believe that I got a directory listing back? I did.
What further disturbs me is that this has already been done, by
Microsoft and their arch rivals -- eEye[2]. eEye was first to market
with their SecureIIS product (~$400). I suspect that M$ then
released URLScan[3] for free as a jab at all the M$ advisories eEye
releases. So there are two decent products out there and Flicks
releases this piece of JUNK and thinks they can get ~$400 a pop.
HA! What a joke.
[1] http://www.flicks.com/titan
[2] http://www.eeye.com
[3] http://www.google.com?q=urlscan