full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] noise about full-width

Re: [Full-disclosure] noise about full-width encoding bypass?

From: 3APA3A <3APA3A_at_nospam>
Date: Mon May 21 2007 - 16:02:40 GMT
To: "Brian Eaton" <eaton.lists@gmail.com>


Dear Brian Eaton,

--Monday, May 21, 2007, 6:22:21 PM, you wrote to websecurity@webappsec.org:
BE> If the SQL engine is processing queries in ASCII or ISO-8859-1, the BE> conversion from unicode to the code page used by the engine will fail. BE> Either the engine will give up on the query, or it might substitute a BE> question mark (?) for the unconvertible character.

It's not true, because it's quite convertible character. At least for IIS:

http://example.com/test.asp?q=%uFF1Cscript>alert("Hello")</script>

where test.asp is

<%=Request.QueryString("q")%>

launches javascript.

BTW: It may be used to bypass keyword based filtering to create, e.g. porn pages available through any corporate firewall. See

http://securityvulns.ru/files/p.html

--

~/ZARAZA http://securityvulns.com/



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/