Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Hello,
Please try to understand what we did here.
You might be right in here:
"As all ISO, UTF-8 and related charsets were 7-bit clean, it's clear that
Microsoft err'ed on the side of accepting UTF-7 charset for automatic
detection in violation of RFC 2616."
But as I said in the 1st mail that I sent:
"We leave it to other hackers to upgrade the attack and make it fully
automatic."
I mean that the FireFox will not show the XSS unless you change the encoding.
If it was "fully automatic" it could change the FireFox encoding, but
it's not it's only a PoC.
Try to change FireFox to auto-select and refresh it so it will jump to UTF-7.
Yaniv Miron aka "Lament".
______________________________
__________
Gentlemen,
With respect to http://www.securityfocus.com/bid/29112
Per http://www.ietf.org/rfc/rfc2616.txt
3.7.1 Canonicalization and Text Defaults
[...]
The "charset" parameter is used with some media types to define the
character set (section 3.4) of the data. When no explicit charset
parameter is provided by the sender, media subtypes of the "text"
type are defined to have a default charset value of "ISO-8859-1" when
received via HTTP. Data in character sets other than "ISO-8859-1" or
its subsets MUST be labeled with an appropriate charset value. See
section 3.4.1 for compatibility problems.
Internet Explorer's autodetection of UTF-7 clearly violates this
specification, introducing the opportunity for myriad similar attacks.
There are several workarounds in Apache HTTP Server to prevent Microsoft's
vulnerability, including
AddDefaultCharset ISO-8859-1
or by enabling multilanguage error docs (with explicit charsets) by simply
uncommenting this Include directive of the default httpd.conf file;
# Multi-language error messages
Include conf/extra/httpd-multilang
-errordoc.conf
All releases after Jan 2 include a global fix that adds an explicit
charset iso-8859-1 to compensate for Microsoft's vulnerability, including
2.2.8, 2.0.63, and 1.3.41. However this vulnerability should clearly be
labeled as a flaw in Internet Explorer.
As all ISO, UTF-8 and related charsets were 7-bit clean, it's clear that
Microsoft err'ed on the side of accepting UTF-7 charset for automatic
detection in violation of RFC 2616.
We are be pleased to offer SecurityFocus the opportunity correct this
misinformation before we raise issue on the public discussion forums.
Bill
Apache HTTP Server