On 5/21/07, ascii <ascii@katamail.com> wrote:
Brian Eaton wrote:
To summarize what I've heard from various sources: I am missing
something important. =) Both PHP and ASP.NET will decode these
characters into their ASCII equivalents.
(AFAIK)
Only ASP.NET/IIS decodes that automatically.
PHP *can* do that as like JSP and probably others but that has
to happen explicitly in the application code or on an other layer.
(Cracking up that somebody going by the handle ascii is commenting on
character encoding issues. =)
Given how few application platforms decode full-width unicode to ASCII
equivalents, is there a case to be made that those application
platforms that do decide this conversion is a good idea are broken?
Put another way: should this be considered a bug in ASP.NET?
I think you could be on either side, but I would learn towards this being
a feature than a bug. Multiple products appear to do the decoding in the
same manner and intentionally perform this function. However, the recent
advisories that went out were geared towards IDS/IPS products that were
not designed to be able to recognize such half-/full-width encoded
traffic. Unless there is some RFC or generally followed documentation
saying the traffic should not be encoded/decoded as such, I would continue
to lean towards this being a feature. It just appears to be a place much
of the IT (security) world has overlooked.
Steven
securityzone.org
Regards,
Brian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
