Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: noise about full-width encoding bypass?

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 22 May 2007 16:33:54 +0400
Dear Brian Eaton,

--Monday, May 21, 2007, 11:28:27 PM, you wrote to ascii () katamail com:


BE> Given how few application platforms decode full-width unicode to ASCII
BE> equivalents, is there a case to be made that those application
BE> platforms that do decide this conversion is a good idea are broken?

BE> Put another way: should this be considered a bug in ASP.NET?

BE> Regards,
BE> Brian

Converting  e.g.  Unicode  full-width  'A'  into ASCII 'A' is definitely
valid and expected behavior. A bug is using unfiltered input in HTML/SQL
generation.  As for inability of content filter to catch this situation,
it's just one more way to bypass it. See

http://securityvulns.com/advisories/content.asp
http://securityvulns.com/advisories/bypassing.asp


-- 
~/ZARAZA http://securityvulns.com/
Итак, я буду краток. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: