Microsoft ASP.NET Unicode Conversion vulnerability

[iGuest 3]

Andrey Rusyaev has discovered a vulnerability in ASP.NET, which potentially can be exploited by malicious people to conduct cross-site scripting and script insertion attacks.The vulnerability is caused due to an input validation error in the filtration of special HTML characters supplied as unicode characters in the "Request Validation" and "HttpServerUtility.HtmlEncode" security mechanisms. This can e.g. be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site via a script returning user input without sanitation.Successful exploitation requires that the response encoding has been set to a national ASCII codepage (not default setting).The vulnerability has been confirmed in Microsoft .NET Framework version 1.1.4322.573. The vulnerability has also been reported in .Net Framework version 1.0 (service pack 2 and prior) and 1.1 (service pack 1 and prior).Solution:Set the response encoding to unicode (default setting).Provided and/or discovered by:Andrey Rusyaev

[iGuest 3]

ahhhhhhhhhhh if somebody wanted to read this stuff they would go to a news site and read it but you just keep copying and pasting this crap