Re: Improper Character Handling In PHP Based Scripts like PhpBB, IPB etc.

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear h4cky0u,

This  characters  has  a code of 173 (0xAD). What you see or what you do
not see depends only on your current codepage . Probably, this character
will    be    filtered  out  by  Windows  API may be as non-printable or
during  conversion from Windows-xxxx to Unicode. PHP have no relation to
this.

-- 
~/ZARAZA
http://www.security.nnov.ru/


--Tuesday, January 24, 2006, 1:43:09 PM, you wrote to full-disclosure () lists grok org uk:

h> Well this was after i found somebody posing as me on my site -->
h> http://www.h4cky0u.org which was actually quite interesting and
h> dangerous  (looking from the social engineering point of view).
h>  
h> Download the following file -
h>  
h> http://www.h4cky0u.org/poc.txt
h>  
h> Make sure you download it and not view it from the browser.  Once
h> you download that file open it in your text editor. You should see
h> something like-
h>  
h> --desiredusername

h> Copy that whole string and try and post it on any PHP Based blog,
h> forum etc or register a username with that string. Now what do you
h> see? The -- part from --desiredusername is gone! But apparently its
h> still there. It still hides within that string(Try and reverse the
h> process you just did). Ok so the bug has been confirmed. Now come the
h> questions -
h>  
h> 1) Is this really a bug in PHP (tested with PHP 4.3.11 and later
h> versions might as well be affected)? Or am i overlooking something?
h>  
h> 2) What is the ASCII code of that -- part in the file if it isn't
h> just 2 simple hyphens? (Tried all the possible methods but couldnt
h> come up with anything positive.)
h>  
h> 3) What are the possible ways to avoid something like this?





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/