Bugtraq mailing list archives
RE: Bypassing of web filters by using ASCII
From: "James C. Slora Jr." <james.slora () phra com>
Date: Mon, 26 Jun 2006 15:31:58 -0400
Hubert Seiwert wrote Monday, June 26, 2006 1:57 PM
I don't currently see how this "ascii vulnerability" would make code injection possible on webservers where the Content-Type is not US-ASCII already, as the 3 methods mentioned to change the charset (http-equiv content-type header, CSS @charset, document.charset) depend on being able to inject things already.
Agreed - the ASCII vulnerability doesn't make servers less secure. It doesn't make user-agents less secure either, since nothing here has exposed any new attack vectors. It merely introduces a big, glaring, open way for hostile code to evade detection when delivered from hostile servers or in served code that is already vulnerable to injection. Doing this without XSS can further exploit site trust. So while the merits of IE's US-ASCII rendering choice can be easily debated, products that claim to help protect IE users by detecting hostile code need to step up and cover the ASCII issue fully. - Jim
Current thread:
- Bypassing of web filters by using ASCII k . huwig (Jun 21)
- Re: Bypassing of web filters by using ASCII Fixer (Jun 21)
- Re: Bypassing of web filters by using ASCII Paul (Jun 21)
- Re: Bypassing of web filters by using ASCII Kurt Huwig (Jun 22)
- Re: Bypassing of web filters by using ASCII Amit Klein (AKsecurity) (Jun 22)
- RE: Bypassing of web filters by using ASCII James C. Slora Jr. (Jun 23)
- RE: Bypassing of web filters by using ASCII Amit Klein (AKsecurity) (Jun 26)
- RE: Bypassing of web filters by using ASCII RSnake (Jun 26)
- Re: Bypassing of web filters by using ASCII Hubert Seiwert (Jun 27)
- RE: Bypassing of web filters by using ASCII James C. Slora Jr. (Jun 26)
- Re: Bypassing of web filters by using ASCII Paul (Jun 21)
- Re: Bypassing of web filters by using ASCII Fixer (Jun 21)
- Re: Bypassing of web filters by using ASCII Thor (Hammer of God) (Jun 23)
- Re: Bypassing of web filters by using ASCII Kurt Huwig (Jun 22)
- Re: Bypassing of web filters by using ASCII David Huecking (Jun 26)
- Message not available
- Re: Bypassing of web filters by using ASCII Amit Klein (AKsecurity) (Jun 23)
- Re: Bypassing of web filters by using ASCII Vincent Archer (Jun 26)
- Re: Bypassing of web filters by using ASCII Balazs Attila-Mihaly (Cd-MaN) (Jun 26)
- <Possible follow-ups>
- Re: Bypassing of web filters by using ASCII Kurt Huwig (Jun 22)