Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
From: yos20053@xxxxxxxxx
Date: 10 May 2008 20:59:36 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Content type is set in Response header
but not in the HTML meta tag - for example
there is no definition like <meta http-equiv="Content-Type" content="text/html; 
charset=iso-8859-1">!!!

That is the reason why it is still a vulnerability and was tested hundred times 
and still works. 
The solution is to set encoding for the response in when rendering the page, 
for example in asp you  write Response.charset = "iso-8859-1"


Best Regards

Yossi Yakubov - (Yos)

Prev by Date: Re: Exploiting Google MX servers as Open SMTP Relays
Next by Date: [ GLSA 200805-09 ] MoinMoin: Privilege escalation
Previous by thread: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Next by thread: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Index(es):
- Date
- Thread