Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded traffic. This may allow malicious content to bypass HTTP content scanning systems. HTTP Content Scanning Systems have a pre-processor to decode various forms of HTTP encoded requests such as UTF encoding for attack signature analysis. Full-width and half-width is an encoding technique for Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded traffic. Some Open Source or Microsoft Products such as Microsoft IIS and .NET Framework properly decode this type of encoding. But most IDS/IPS/WAF products does not properly decode full-width Unicode (%uff) encoded HTTP requests for analysis, Lowercase/Uppercase conversion and character matching. By sending HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass the content scanning system. http://www.gamasec.net/english/gs07-01.html
netmon please advise.
http://www.kb.cert.org/vuls/id/739224 listed as vulnerable. http://www.kb.cert.org/vuls/id/MIMG-72BRK3 - no reponce from vendor. no mention of the vul in the email lists, website or release notes for 2.6.1.5. no reponce on irc #snort (yet) going to assume its not fixed in 2.6.1.5 until some upstream confirmation occurs
no news yet :(
This page has now been updated: http://www.kb.cert.org/vuls/id/MIMG-72BRK3 As of 19/06/2007 stating that snort is Not Vulnerable to this.
Seems like it doesn't affect snort after all.
