[Full-disclosure] noise about full-width encoding bypass?
Brian Eaton
eaton.lists at gmail.com
Mon May 21 20:48:09 BST 2007
On 5/21/07, 3APA3A <3APA3A at security.nnov.ru> wrote:
> It's not true, because it's quite convertible character. At least for IIS:
>
> http://example.com/test.asp?q=%uFF1Cscript>alert("Hello")</script>
>
> where test.asp is
>
> <%=Request.QueryString("q")%>
>
> launches javascript.
This does not work for me for IIS 6 and IE 7. What platform did you test?
Regards,
Brian
Full-Disclosure is hosted and sponsored by Secunia.