RE: Bypassing of web filters by using ASCII

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Bypassing of web filters by using ASCII
From: "James C. Slora Jr." <james.slora@xxxxxxxx>
Date: Mon, 26 Jun 2006 15:31:58 -0400
In-reply-to: <44A01FCF.8090104@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcaZSkCu+lkayvhwTcGlsbxKLNgr3QACop/A
Thread-topic: Bypassing of web filters by using ASCII

Hubert Seiwert wrote Monday, June 26, 2006 1:57 PM

> I don't currently see how this "ascii vulnerability" would make code 
> injection possible on webservers where the Content-Type is not 
> US-ASCII already, as the 3 methods mentioned to change the charset 
> (http-equiv content-type header, CSS @charset, document.charset) 
> depend on being able to inject things already.

Agreed - the ASCII vulnerability doesn't make servers less secure. It
doesn't make user-agents less secure either, since nothing here has
exposed any new attack vectors. It merely introduces a big, glaring,
open way for hostile code to evade detection when delivered from hostile
servers or in served code that is already vulnerable to injection. Doing
this without XSS can further exploit site trust.

So while the merits of IE's US-ASCII rendering choice can be easily
debated, products that claim to help protect IE users by detecting
hostile code need to step up and cover the ASCII issue fully.

- Jim

References:
- Re: Bypassing of web filters by using ASCII
  - From: Hubert Seiwert

Prev by Date: [ GLSA 200606-26 ] EnergyMech: Denial of Service
Next by Date: Re: PHP security (or the lack thereof)
Previous by thread: Re: Bypassing of web filters by using ASCII
Next by thread: Re: Bypassing of web filters by using ASCII
Index(es):
- Date
- Thread