flickstitan.txt

`I originally sent this message to bugtraq, but they did not post   
it. Instead they stuck it in their vulnerability database and   
removed all of my comments and example. So much for full disclosure...  
  
Flicks Software just released a product named Titan[1]. It is   
described as an application firewall (i.e., it is an ISAPI filter for   
IIS that can do varying levels of protocol inspection). One of the   
features allows a user to filter on patterns within the URL for things   
such as cmd.exe.   
  
The problem is the guys at Flicks obviously don't understand web   
security (which is scary because they have been developing AuthentiX   
for some time now, not to mention the version of Titan I had was 5.5a7,   
I am baffled at how a 5th major revision piece of software can be so   
fundamentally broken).  
  
I started off by placing cmd.exe into an executeable folder on my   
web server and enabling the Titan security. As expected, I received   
an error message when attempting to access the file. I then proceeded  
to try a trick my little sister showed me. I URL encoded some of   
the characters in the URL like so:  
  
http://www.example.com/scripts/cmd%2Eexe?/C+dir+c:%5C  
  
Would you believe that I got a directory listing back? I did.  
  
What further disturbs me is that this has already been done, by   
Microsoft and their arch rivals -- eEye[2]. eEye was first to market   
with their SecureIIS product (~$400). I suspect that M$ then   
released URLScan[3] for free as a jab at all the M$ advisories eEye   
releases. So there are two decent products out there and Flicks  
releases this piece of JUNK and thinks they can get ~$400 a pop.  
HA! What a joke.  
  
  
[1] http://www.flicks.com/titan  
[2] http://www.eeye.com  
[3] http://www.google.com?q=urlscan  
  
`