Vulnerability Development: Re: special characters (HTTP)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: special characters (HTTP)

From: Bluefish <11a () GMX NET>
Date: Sun, 6 Aug 2000 13:27:05 +0200

I believe most mayor httpds (apache, IIS etc) has delt with this problem
long ago. However, some less wellknown httpd-softwares have had serious
problems with this (checking that URL doesn't contain ".." BEFORE
converting special characters)

The issue was raised in the last cryptogram, where Schneier expressed his
opinion that unicode, and the standards being built around it, are too
complex so flawed code is very likely to be generated. Some of these
problems are multiple ways to express whitespaces (space, tab etc) and
different encoding schemes pending on what kind of application is using
unicode (some need to send BASE64-alike etc)

A similar problem, alas. The article is available at
http://www.counterpane.com/

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

By Date By Thread

Current thread:

special characters (HTTP) Ory Segal (Aug 03)
- Re: special characters (HTTP) Bluefish (Aug 06)
  - Re: special characters (HTTP) Peter Tonoli (Aug 07)
    - Re: special characters (HTTP) Mikael Olsson (Aug 08)
    - Re: special characters (HTTP) Iván Arce (Aug 09)
- <Possible follow-ups>
- Re: special characters (HTTP) netsec [davidv] (Aug 08)