RE: AddDefaultCharset considered harmful (was: Mojibake on my Web pages)

From: jon@spin.ie
Date: Fri Sep 26 2003 - 06:08:29 EDT

  • Next message: Marco Cimarosti: "RE: Internal Representation of Unicode"

    > Here is a link which describes how some hackers use
    > %XX and %uXXXX url encoding to mask a malicious request
    > or to get around an IDS product.
    >
    > http://www.cgisecurity.com/contrib/hd_spring_2002.pdf

    I wish hackers would give better references. This doesn't give proper credit to rain.forest.puppy for his work on that hole, rain.forest.puppy didn't give a proper reference to the security warnings already published about UTF-8 (which unfairly made it look like the flaw was in UTF-8 rather than in the way UTF-8 encoded in IRIs was being transcoded).

    That particular issue doesn't really involve character set documents are labelled as using, though that would bring other issues. However the issues that do arise here will stem either from a faulty implementation of a transcoder (which a default charset setting won't affect - the cracker will label things in the way that suits their exploit) or through misidentified data - and this default setting misidentifies data and could possibly introduce new issues.

    A flipside to the security issues of this sort is that sometimes Unicode can it more difficult to exploit buffer overflows, as the code being used to overflow the buffer is being transcoded from legacy to unicode before the smash (it doesn't make it harder to overflow the buffer, but it makes it harder to do so in a way that runs code you want to run). See <http://www.phrack.org/show.php?p=61&a=11



    This archive was generated by hypermail 2.1.5 : Fri Sep 26 2003 - 07:52:03 EDT