[Full-disclosure] noise about full-width encoding bypass?
3APA3A
3APA3A at SECURITY.NNOV.RU
Tue May 22 13:33:54 BST 2007
Dear Brian Eaton,
--Monday, May 21, 2007, 11:28:27 PM, you wrote to ascii at katamail.com:
BE> Given how few application platforms decode full-width unicode to ASCII
BE> equivalents, is there a case to be made that those application
BE> platforms that do decide this conversion is a good idea are broken?
BE> Put another way: should this be considered a bug in ASP.NET?
BE> Regards,
BE> Brian
Converting e.g. Unicode full-width 'A' into ASCII 'A' is definitely
valid and expected behavior. A bug is using unfiltered input in HTML/SQL
generation. As for inability of content filter to catch this situation,
it's just one more way to bypass it. See
http://securityvulns.com/advisories/content.asp
http://securityvulns.com/advisories/bypassing.asp
--
~/ZARAZA http://securityvulns.com/
Итак, я буду краток. (Твен)
Full-Disclosure is hosted and sponsored by Secunia.