Full Disclosure mailing list archives
Re: noise about full-width encoding bypass?
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Mon, 21 May 2007 11:33:08 -0400
On 5/21/07, Łukasz Pilorz <lukasz () pilorz net> wrote:
I think this encoding bypass may have some impact on applications which convert data from Unicode/UTF to other encodings. A naive example: http://lukasz.pilorz.net/testy/full_width_utf/index.phps But I don't suggest this was the main problem, I have probably missed something too.
Your POC works for me, the PHP iconv code converts the UTF-8 byte sequence 0xef 0xbc 0x9C to ASCII '<'. Looks like PHP applications may be at risk. The java CharsetDecoder class does not. (I don't think this will be JRE specific, but I tested the IBM JRE...). The perl Encode module does not. Anybody have an IIS server handy, to test out how .NET handles this? Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass?, (continued)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 21)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 21)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 23)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 23)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 23)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)