Amit Klein was kind enough to point out that the ASP.NET filter evasion issue is actually a known issue. It was
first pointed out in 2004!
According
to that post "We have decided that a KB article and update to tools
and/or best practice guidelines should be done for this, and will be as
time permits. We are not tracking this case as a security bulletin" –
Microsoft
UPDATED 05/21/07 by Robert
According to two posts on The Web Security Mailing List
IIS seems to be affected. Here is a cheat sheet of characters you can use to see if your application input filtering
can be evaded.
> = %uff1E
< = %uff1c
Brackets ONLY Encoded: %uff1cscript%uff1Ealert(document.cookie)%uff1c/script%uff1E
Full Encoded: %uff1cscript%uff1Ealert%uFF08document%uff0ecookie%uff09%uff1c/script%uff1E
More updates will be posted here as they are
discovered.
Posted 05/21/07 by Robert
A new unicode encoding bypass has been discovered which will potentially leave dozens
of popular applications vulnerable. At this time vendors such as 3com,
ISS,
Tippingpoint, Snort, and Cisco have
released advisories. From CERT
"Full-width
and half-width encoding is a technique for encoding Unicode characters.
Various HTTP content scanning systems fail to properly scan
full-width/half-width Unicode encoded HTTP traffic. By sending
specially-crafted HTTP traffic to a vulnerable content scanning system,
an attacker may be able to bypass that content scanning system."
The impact at this time is still being investigated by CERT however it
is very possible other major products
are also affected. Products most likely affected will be Intrusion
Detection/Prevention Systems, maybe Application Servers/Web
Proxies/Servers.
The original advisory released by Fatih Ozavci and Caglar Cakicican be
found at http://www.gamasec.net/english/gs07-01.html (Currently down)
Unicode Map: http://www.unicode.org/charts/PDF/UFF00.pdf
Advisory Link: http://www.kb.cert.org/vuls/id/739224
Vuln Chat http://sla.ckers.org/forum/read.php?13,11562
