=
=
 Individuelle IT-Lösungen
Home | Kontakt | Impressum  * 
---

Bodward

Scannerdaemon

plakat-drucker

huwig-werner

voip-saarland

voip-experten

ox-experten

ox-info

openox

vpn-experten

Deutsche Version verfügbar

Bypassing of web filters by using ASCII

If you can read the text in the yellow box, then you browser displays US-ASCII correctly and you should check if you firewall/virus scanner detects viruses/spam encoded in ASCII. If the box does not show, click here.

Background ASCII

The character set ASCII encodes every character with 7 bits. Internet connections transmit octets with 8 bits. If the content of such a transmission is encoded in ASCII, the most significant bit must be ignored.

The security problem

Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6, only the InternetExplorer does this correctly, the others evaluate the bit and display the characters as if they were from the character set ISO-8859-1. Although the behaviour of the InternetExplorer is the correct one, this creates a security risk: the author of a web page can set the bit on arbitrary characters without changing the look of the page. But virus scanners and content filters see completely different characters, so that there programs cannot detect viruses or spam.

This offers spammers and virus writers the possibility to bypass installed spam and virus filters. We checked several filter products and all of these failed to detect the manipulated web pages. But it should be quite easy to close this hole by clearing the most significant bit on ASCII encoded web pages before analysing them.

History

06/13/2006Found by Kurt Huwig (iKu Systemhaus AG)
Confirmed by Lukas Grunwald with several JavaScript viruses (DN-Systems GmbH)
Anti-Virus companies informed
06/19/2006Demo page installed
06/26/2006The issue has been documented as CVE-2006-3227

Contact: