WorstFit is a vulnerability in Windows-based programs which use ANSI APIs - especially those that handle command-line arguments or environment variables. Characters such as full-width quotes and yen signs can be silently changed into quotes and backslashes, bypassing upstream filters and sanitizers. Code execution, source disclosure and local file inclusion are demonstrated in a range of environments including PHP, Python, cURL, Excel, etc. as well as actual websites affected by this bug.
1 comment
[ 4.7 ms ] story [ 9.9 ms ] thread