HTTP: Unicode Encoding in URL
This signatures detects unicode encoding in URLs. Some IPS do not decode unicode in URLs. An attacker can attempt to evade the IPS by using such encoding. Juniper IDP and DI products are not vulnerable to this technique.
Extended Description
The Microsoft IIS web server supports a non-standard method of encoding web requests. Because this method is non-standard, intrusion detection systems may not detect attacks encoded using this method. This vulnerability only affects intrusion detection systems in environments where '%u' unicode encoding is supported by a webserver (ie, IIS). If there is no webserver support for this encoding method or if it is disabled, there will be no targets to which encoded attacks can be sent. **NOTE**: Only RealSecure, Dragon and Snort are confirmed vulnerable. It is highly likely that IDS systems from other vendors are vulnerable as well, however we have not recieved confirmation. This record will be updated as more information becomes available regarding affected technologies. BlackICE products detect '%u' encoded requests as being invalid, but do not decode them and detect encoded attack signatures.
Affected Products
Cisco catalyst_6000_ids_module,Cisco secure_intrusion_detection_system_(netranger)
Short Name
HTTP:IIS:ENCODING:UNICODE
Severity
Info
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
CVE-2001-0669 Encoding URL Unicode bid:3292 in
Release Date
10/20/2006
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Rarely
Vendors
Enterasys_networks
Cisco
Ibm
Nfr
Snort_project
CVSS Score
7.5