We recently updated our security scanner and are reporting a new issue.
What is the recommended fix? (We are in ACF9.)
(Also, if you have a CF-oriented usage example, I would appreciate it.)
Unicode Conversion Issues
Seriousness
High
A type
Configuration
Reported by the module
Scripting (XSS.script)
Description
This page is vulnerable to various Unicode conversion problems such as best match, alternating byte sequences, invalid sequences.
Best matches are displayed when an X character is converted to a completely different Y character. In general, best matches occur when characters are transcoded between Unicode and another encoding.
Overloaded Byte Sequences (Not the Shortest Form) - UTF-8 allows for various character representations, which also have a shorter form. For security reasons, the UTF-8 decoder should not receive UTF-8s that are larger than necessary for character encoding. For example, the character U + 000A (feed line) should be received from the UTF-8 stream only in the form 0x0A, but not in any of the following five possible overlaps of the form:
Unprepared subsequences, UNICODE REQUIRED 3.0, are noted in Unicode Technical Report No. 36, if the leading byte is followed by an invalid successor byte, then it should NOT consume it.
Influence
Software vulnerabilities arise when displaying Best-Fit. For example, characters can be manipulated to bypass string processing filters, such as cross-site scripting (XSS) or SQL Injection, WAF, and IDS filters. Overlung sequences of UTF-8 could abuse the bypass of UTF-8 substrings, which look only for the shortest encoding.
Recommendation
Identify the source of these Unicode conversion problems and fix them. See the web links below for more information.
Recommendations
Unicode Security
UTF-8 and Unicode FAQ for Unix / Linux
A few unicode issues in PHP and Firefox
Unicode Security Issues
Affecteditems
/ MySite-portal /
More details
The POST URL URL link was set to acu5955% EF% BC% 9Cs1% EF% B9% A5s2% CA% BAs3% CA% B9uca5955
The list of problems:
Unicode character U + 02B9 PRIME MODIFICATION LETTER (encoded as% CA% B9) has been converted to U + 0027 APOSTROPHE (')
Unicode character U + 02B9 PRIME MODIFICATION LETTER (encoded as% CA% B9) was transf ... (line truncated)
Request Headers
Get
?
/ MySite portal / display = Login & status = failed & RememberMe = 0 & ContentID = & LinkServID = acu5955% 1 Cs1es2% BAs3% B9uca5955 & returnURL = https://stage-cms.mysite.com/mysite-portal/ HTTP / 1.1 Referer: https : //stage-cms.mysite.com-00-0043/
Connection: Keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla / 5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident / 5.0)
To accept: */*
Host: stage-cms.mysite.com