Hi, AJE> We have seen 44 sites in the last year at WhiteHat Security that were AJE> vulnerable to Fullwidth unicode-encoded attacks. This one tends to be AJE> more ubiquitous than others when you find it. In the applications weak AJE> to this -- we found roughly 200 locations vulnerable to attack in AJE> those 44 applications, and each location would have multiple inputs, AJE> so you are probably talking 1,000+ inputs vulnerable to attack using AJE> this encoding.
The discussion of how many inputs are vulnerable is kind of ludicrous isn't it? As it nearly always boils down to the same set of impacts even if you have a trillion of inputs vulnerable, per domain. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
