Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
From: Jon Ribbens <jon+bugtraq2@xxxxxxxxxxxxxxxxx>
Date: Fri, 16 May 2008 10:44:15 +0100
In-reply-to: <20080514172052.11859.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20080514172052.11859.qmail@xxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.13 (2006-08-11)

On Wed, May 14, 2008 at 05:20:52PM -0000, Tom.Donovan@xxxxxxx wrote:
> It appears there is little that web servers can do to thwart this,
> short of changing all '+' characters to %2B.  That seems excessive.

To be fair, this is what Microsoft has recommended, explicitly for the
purpose of preventing XSS, for *at least* the last 6 years. The library
I use does indeed encode "+" as "&#43;".

References:
- Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
  - From: Tom . Donovan

Prev by Date: Hack.lu 2008 CfP
Next by Date: [SECURITY] [DSA 1576-2] New openssh packages fix predictable randomness
Previous by thread: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Next by thread: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Index(es):
- Date
- Thread