OWASP Stinger Filter Bypass Weakness

Bugtraq ID:	25294
Class:	Design Error
CVE:	CVE-2007-4385
Remote:	Yes
Local:	No
Published:	Aug 13 2007 12:00AM
Updated:	May 07 2015 05:36PM
Credit:	Meder Kydyraliev <[email protected]> is credited with the discovery of this issue.
Vulnerable:	OWASP Stinger 0
Not Vulnerable:	OWASP Stinger 2.5

OWASP Stinger Filter Bypass Weakness

OWASP Stinger is prone to a filter-bypass weakness because the application fails to properly handle certain input.

Since the OWASP Stinger project is a software module designed to be incorporated into other applications, this weakness may be exploitable only if applications use it in a vulnerable way.

Successfully exploiting this issue may allow attackers to bypass the filter, aiding them in further attacks.

Versions prior to Stinger 2.5 are vulnerable to this issue.

OWASP Stinger Filter Bypass Weakness

Attackers use readily available network utilities to exploit this issue.

The following proof-of-concept exploit is available for WebScarab:

• /data/vulnerabilities/exploits/Multipartify.txt

OWASP Stinger Filter Bypass Weakness

Solution:
The vendor has released Stinger 2.5 to address this issue. Please see the references for more information.


OWASP Stinger 0

• OWASP Stinger-2.5.jar
  https://www.owasp.org/index.php/Image:Stinger-2.5.jar

OWASP Stinger Filter Bypass Weakness

References:

• Stinger Project Page (OWASP)
  
• [o0o] Bypassing servlet input validation filters (OWASP Stinger + Struts example (Meder Kydyraliev )
  
• Bypassing servlet input validation filters (OWASP Stinger + Struts example) (OWASP)