| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <174921992.20070522163354@SECURITY.NNOV.RU> Date: Tue, 22 May 2007 16:33:54 +0400 From: 3APA3A <3APA3A@...URITY.NNOV.RU> To: "Brian Eaton" <eaton.lists@...il.com> Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>, Web Security <websecurity@...appsec.org> Subject: Re: noise about full-width encoding bypass? Dear Brian Eaton, --Monday, May 21, 2007, 11:28:27 PM, you wrote to ascii@...amail.com: BE> Given how few application platforms decode full-width unicode to ASCII BE> equivalents, is there a case to be made that those application BE> platforms that do decide this conversion is a good idea are broken? BE> Put another way: should this be considered a bug in ASP.NET? BE> Regards, BE> Brian Converting e.g. Unicode full-width 'A' into ASCII 'A' is definitely valid and expected behavior. A bug is using unfiltered input in HTML/SQL generation. As for inability of content filter to catch this situation, it's just one more way to bypass it. See http://securityvulns.com/advisories/content.asp http://securityvulns.com/advisories/bypassing.asp -- ~/ZARAZA http://securityvulns.com/ Итак, я буду краток. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists