Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: noise about full-width encoding bypass?

From: "Brian Eaton" <eaton.lists () gmail com>
Date: Mon, 21 May 2007 14:36:59 -0400
On 5/21/07, Brian Eaton <eaton.lists () gmail com> wrote:

Has anyone had a look at the full-width unicode encoding trick discussed here?

http://www.kb.cert.org/vuls/id/739224

AFAICT, this technique could be useful for a homograph attack.  I
don't think it's useful for much else.  However, a few vendors have
reacted already, so I may be missing something important.


To summarize what I've heard from various sources: I am missing
something important. =)  Both PHP and ASP.NET will decode these
characters into their ASCII equivalents.  I don't think J2EE apps are
vulnerable, but this is definitely useful for more more than just
homograph attacks.

Thanks to the various people who have tested this out!

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: