lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1188230787.693.26.camel@duo.jes.ee>
Date: Mon, 27 Aug 2007 19:06:27 +0300
From: Tonu Samuel <tonu@....ee>
To: Full-Disclosure@...ts.grok.org.uk
Subject: UTF reverse-writing WYSINWG "feature"

Hi!

Reading today http://www.digg.com/offbeat_news/WTF_is_this_Character
rang bells in my head. There is a nice utf character which just confuses
software and all display goes instead left-to-right into right-to-left.
It is difficult to exaplain but go and read original. 

But by concerns are related to security. For example even looking title
of this digg.com page with Firefox or Konqueror and you see that browser
name is reversed! I looked into source code with Firefox and lot of
things are reversed too!

I was thinking about possible (ab)uses of this "feature". Let say, I
want to write some rude words into some portal but they regexp it out.
Now I have way to do it. 

http://www.epl.ee/?artikkel=317582&kommentaarid=0 is random example.
"sitt" is bit rude word and they do not allow to use it inside
comments.  

Another example is Delfi. This is locally huge portal and they colour
word "delfi" in comments into their trademark colours:

http://www.delfi.ee/archive/article.php?id=16722806&ndate=1187643600&categoryID=120&com=1&s=1&no=180

Why it is in this list? I think this is serious security issue when you
have to audit source code of bank and you read 

if ( sum == 123 ) 

but actually machine understands it as 

if ( sum == 321 )

I am sure people in this list can come up with more ideas. Just wanted
to warn about such "feature".

   Tõnu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ