|Main Archive Page > Month Archives > full-disclosure-uk archives|
On 5/21/07, Brian Eaton <firstname.lastname@example.org> wrote:
> Has anyone had a look at the full-width unicode encoding trick discussed here?
> AFAICT, this technique could be useful for a homograph attack. I
> don't think it's useful for much else. However, a few vendors have
> reacted already, so I may be missing something important.
To summarize what I've heard from various sources: I am missing something important. =) Both PHP and ASP.NET will decode these characters into their ASCII equivalents. I don't think J2EE apps are vulnerable, but this is definitely useful for more more than just homograph attacks.
Thanks to the various people who have tested this out!