|
Full Disclosure
mailing list archives
Re: noise about full-width encoding bypass?
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 22 May 2007 16:33:54 +0400
Dear Brian Eaton,
--Monday, May 21, 2007, 11:28:27 PM, you wrote to ascii () katamail com:
BE> Given how few application platforms decode full-width unicode to ASCII
BE> equivalents, is there a case to be made that those application
BE> platforms that do decide this conversion is a good idea are broken?
BE> Put another way: should this be considered a bug in ASP.NET?
BE> Regards,
BE> Brian
Converting e.g. Unicode full-width 'A' into ASCII 'A' is definitely
valid and expected behavior. A bug is using unfiltered input in HTML/SQL
generation. As for inability of content filter to catch this situation,
it's just one more way to bypass it. See
http://securityvulns.com/advisories/content.asp
http://securityvulns.com/advisories/bypassing.asp
--
~/ZARAZA http://securityvulns.com/
Итак, я буду краток. (Твен)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Re: noise about full-width encoding bypass?, (continued)
Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Arian J. Evans (May 21)
|
Intro
