[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] noise about full-width encoding bypass?

To: "Web Security" <websecurity@xxxxxxxxxxxxx>, Full-Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] noise about full-width encoding bypass?
From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Date: Mon, 21 May 2007 14:36:59 -0400

On 5/21/07, Brian Eaton <eaton.lists@xxxxxxxxx> wrote:
> Has anyone had a look at the full-width unicode encoding trick discussed here?
>
> http://www.kb.cert.org/vuls/id/739224
>
> AFAICT, this technique could be useful for a homograph attack.  I
> don't think it's useful for much else.  However, a few vendors have
> reacted already, so I may be missing something important.

To summarize what I've heard from various sources: I am missing
something important. =)  Both PHP and ASP.NET will decode these
characters into their ASCII equivalents.  I don't think J2EE apps are
vulnerable, but this is definitely useful for more more than just
homograph attacks.

Thanks to the various people who have tested this out!

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] noise about full-width encoding bypass?
  - From: ascii
- Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding bypass?
  - From: Arian J. Evans

References:
- [Full-disclosure] noise about full-width encoding bypass?
  - From: Brian Eaton

Prev by Date: [Full-disclosure] [SECURITY] [DSA 1296-1] New php4 packages fix privilege escalation
Next by Date: Re: [Full-disclosure] noise about full-width encoding bypass?
Previous by thread: Re: [Full-disclosure] noise about full-width encoding bypass?
Next by thread: Re: [Full-disclosure] noise about full-width encoding bypass?
Index(es):
- Date
- Thread