[Full-disclosure] noise about full-width encoding bypass?
3APA3A
3APA3A at SECURITY.NNOV.RU
Mon May 21 17:02:40 BST 2007
Dear Brian Eaton,
--Monday, May 21, 2007, 6:22:21 PM, you wrote to websecurity at webappsec.org:
BE> If the SQL engine is processing queries in ASCII or ISO-8859-1, the
BE> conversion from unicode to the code page used by the engine will fail.
BE> Either the engine will give up on the query, or it might substitute a
BE> question mark (?) for the unconvertible character.
It's not true, because it's quite convertible character. At least for IIS:
http://example.com/test.asp?q=%uFF1Cscript>alert("Hello")</script>
where test.asp is
<%=Request.QueryString("q")%>
launches javascript.
BTW: It may be used to bypass keyword based filtering to create, e.g.
porn pages available through any corporate firewall. See
http://securityvulns.ru/files/p.html
--
~/ZARAZA http://securityvulns.com/
Full-Disclosure is hosted and sponsored by Secunia.