[Full-disclosure] UTF reverse-writing WYSINWG "feature"

Hi!

Reading today http://www.digg.com/offbeat_news/WTF_is_this_Character
rang bells in my head. There is a nice utf character which just confuses
software and all display goes instead left-to-right into right-to-left.
It is difficult to exaplain but go and read original. 

But by concerns are related to security. For example even looking title
of this digg.com page with Firefox or Konqueror and you see that browser
name is reversed! I looked into source code with Firefox and lot of
things are reversed too!

I was thinking about possible (ab)uses of this "feature". Let say, I
want to write some rude words into some portal but they regexp it out.
Now I have way to do it. 

http://www.epl.ee/?artikkel=317582&kommentaarid=0 is random example.
"sitt" is bit rude word and they do not allow to use it inside
comments.  

Another example is Delfi. This is locally huge portal and they colour
word "delfi" in comments into their trademark colours:

http://www.delfi.ee/archive/article.php?id=16722806&ndate=1187643600&categoryID=120&com=1&s=1&no=180

Why it is in this list? I think this is serious security issue when you
have to audit source code of bank and you read 

if ( sum == 123 ) 

but actually machine understands it as 

if ( sum == 321 )

I am sure people in this list can come up with more ideas. Just wanted
to warn about such "feature".

   TÃnu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/