HTTP: Half-Full Width Unicode Encoding and Double Encoding Bypass
This signatures detects unicode encoding in HTTP requests. Some IPS do not decode unicode in HTTP requests properly. An attacker can attempt to evade the IPS by using such encoding.
Extended Description
Multiple products are reportedly prone to a vulnerability that may allow malicious HTTP traffic to bypass detection. Attackers may send this type of HTTP data to evade detection and perform further attacks. Cisco has stated that all IOS releases that support the Firewall/IPS feature set are affected. Although we currently have no definitive list of such versions, Symantec is investigating the matter and will update this BID's list of vulnerable systems appropriately.
Affected Products
Cisco ios,Cisco intrusion_prevention_system
Short Name
HTTP:IIS:ENCODING:UNICODE-BP
Severity
Warning
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
Bypass CVE-2007-2689 Double Encoding Half-Full Unicode Width and bid:23980
Release Date
05/17/2007
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Frequently
Vendors
Tippingpoint
Cisco
Stonesoft
CVSS Score
7.8