ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Bypassing of web filters by using ASCII



> -----Original Message-----
> From: k.huwig@xxxxxxxxx [mailto:k.huwig@xxxxxxxxx] 
> Sent: Wednesday, June 21, 2006 5:11 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Bypassing of web filters by using ASCII
> 
> ______________________________________________________________
> _________
> 
>                            iKu Advisory
> ______________________________________________________________
> _________
> 
> Product               : Microsoft InternetExplorer 6
>                       : various filter applications
> Date                  : June 20th 2006
> Affected versions     : all
> Vulnerability Type    : bypassing security filters
> Severity (1-10)       : 10
> Remote                : yes
> ______________________________________________________________
> _________
> 
> 0. contents
> 
>   1. problem description
>   2. affected software
>   3. bug description/possible fix
>   4. sample code
>   5. workaround
> 
> 
> 1. problem description
> 
> The character set ASCII encodes every character with 7 bits. Internet
> connections transmit octets with 8 bits. If the content of such a
> transmission is encoded in ASCII, the most significant bit 
> must be ignored.
> 
> Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6,
> only the InternetExplorer does this correctly, the others evaluate the
> bit and display the characters as if they were from the character set
> ISO-8859-1. Although the behaviour of the InternetExplorer is the
> correct one, this creates a security risk: the author of a 
> web page can
> set the bit on arbitraty characters without changing the look of the
> page. But virus scanners and content filters see completely different
> characters, so that there programs cannot detect viruses or spam.
> 
> This offers spammers and virus writers the possibility to bypass
> installed spam and virus filters.
> 
> 
> 2. affected software
> 
> Only the InternetExplorer displays ASCII encoded web pages as 
> 7 bit. We
> checked several hardware router and antivirus solutions, all of which
> failed to detect malicious JavaScript in manipulated web pages.
> 
> 
> 3. bug description/possible fix
> 
> It should be quite easy to close this hole within filter/scan
> applications by clearing the most significant bit on ASCII encoded web
> pages before analysing them.
> 
> 
> 4. sample page
> 
> At
> 
>       http://www.iku-ag.de/ASCII
> 
> you can find a test page that displays a secret message. IE6 displays
> the text correctly, Firefox 1.5 and Opera 8.5 display glibberish text.
> This page only shows that IE6 displays ASCII-text correctly 
> and does not
> contain any content that a filter should sort out.
> 
> Updated information can be found at
> 
>       http://www.iku-ag.de/sicherheit/ascii-eng.jsp
> 
> 
> 5. workaround
> 
> There is no workaround know to us.
> --
> Kurt Huwig iKu Systemhaus AG http://www.iku-ag.de/ Vorstand 
> Am Römerkastell 4 Telefon 0681/96751-0 66121 Saarbrücken 
> Telefax 0681/96751-66 GnuPG 1024D/99DD9468 64B1 0C5B 82BC 
> E16E 8940 EB6D 4C32 F908 99DD 9468 
> 




 




Copyright © Lexa Software, 1996-2009.