full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] noise about full-width

Re: [Full-disclosure] noise about full-width encoding bypass?

From: 3APA3A <3APA3A_at_nospam>
Date: Tue May 22 2007 - 12:33:54 GMT
To: "Brian Eaton" <eaton.lists@gmail.com>

Dear Brian Eaton,

--Monday, May 21, 2007, 11:28:27 PM, you wrote to ascii@katamail.com:
BE> Given how few application platforms decode full-width unicode to ASCII BE> equivalents, is there a case to be made that those application BE> platforms that do decide this conversion is a good idea are broken?

BE> Put another way: should this be considered a bug in ASP.NET?

BE> Regards,
BE> Brian

Converting e.g. Unicode full-width 'A' into ASCII 'A' is definitely valid and expected behavior. A bug is using unfiltered input in HTML/SQL generation. As for inability of content filter to catch this situation, it's just one more way to bypass it. See

http://securityvulns.com/advisories/content.asp http://securityvulns.com/advisories/bypassing.asp


~/ZARAZA http://securityvulns.com/
Итак, я буду краток. (Твен)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/