lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-id: <20070521190853.M55942@mail.casabasec.com>
Date: Mon, 21 May 2007 12:24:51 -0700
From: "Chris Weber" <chris@...l.casabasec.com>
To: ascii <ascii@...amail.com>,Brian Eaton <eaton.lists@...il.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
	Web Security <websecurity@...appsec.org>
Subject: Re: [WEB SECURITY] Re: noise about full-width
 encoding bypass?

Hold up a second folks, you're telling this list now that ASP.NET will
decompose various character sets like those containing your full-width single
quote, into it's ASCII equivalent.  Brian I think you should've stuck to your
original story because I'm almost certain this is completely untrue.  

If it were true then we'd have some dire state of emergency on our hands no? 
Compatibility decomposition and canonical composition are a function of the
Unicode normalization forms in use (http://unicode.org/reports/tr15/).  

*In particular, forms KD and KC would do what you're saying, but those aren't
commonly in use afaik.  Developers should be very cautious when normalizing to
these forms.

If you've managed to find some specific ASP.NET classes which normalize to
problematic forms KD/KC then you should let us know, but just saying all of
ASP.NET does this would be a huge stretch.  The framework supports all four
normalization methods
(http://msdn2.microsoft.com/en-us/winfx/system.string.aspx) and it's up to
developers to implement the ones they need.






---------- Original Message -----------
From: ascii <ascii@...amail.com>
To: Brian Eaton <eaton.lists@...il.com>
Cc: Web Security <websecurity@...appsec.org>, Full-Disclosure
<full-disclosure@...ts.grok.org.uk>
Sent: Mon, 21 May 2007 23:01:26 +0200
Subject: [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding
bypass?

> Brian Eaton wrote:
> > To summarize what I've heard from various sources: I am missing
> > something important. =)  Both PHP and ASP.NET will decode these
> > characters into their ASCII equivalents.
> 
> (AFAIK)
> 
> Only ASP.NET/IIS decodes that automatically.
> 
> PHP *can* do that as like JSP and probably others but that has
> to happen explicitly in the application code or on an other layer.
> 
> Regards,
> Francesco `ascii` Ongaro
> http://www.ush.it/
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
------- End of Original Message -------


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ