Full Disclosure mailing list archives
Re: noise about full-width encoding bypass?
From: "Steven Adair" <steven () securityzone org>
Date: Mon, 21 May 2007 14:41:58 -0500 (EST)
On 5/21/07, ascii <ascii () katamail com> wrote:Brian Eaton wrote:To summarize what I've heard from various sources: I am missing something important. =) Both PHP and ASP.NET will decode these characters into their ASCII equivalents.(AFAIK) Only ASP.NET/IIS decodes that automatically. PHP *can* do that as like JSP and probably others but that has to happen explicitly in the application code or on an other layer.(Cracking up that somebody going by the handle ascii is commenting on character encoding issues. =) Given how few application platforms decode full-width unicode to ASCII equivalents, is there a case to be made that those application platforms that do decide this conversion is a good idea are broken? Put another way: should this be considered a bug in ASP.NET?
I think you could be on either side, but I would learn towards this being a feature than a bug. Multiple products appear to do the decoding in the same manner and intentionally perform this function. However, the recent advisories that went out were geared towards IDS/IPS products that were not designed to be able to recognize such half-/full-width encoded traffic. Unless there is some RFC or generally followed documentation saying the traffic should not be encoded/decoded as such, I would continue to lean towards this being a feature. It just appears to be a place much of the IT (security) world has overlooked. Steven securityzone.org
Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 21)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 22)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? ascii (May 21)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? Steven Adair (May 21)
- Re: noise about full-width encoding bypass? Valdis . Kletnieks (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 22)
- Re: noise about full-width encoding bypass? ascii (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Chris Weber (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? ascii (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Brian Eaton (May 22)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 21)