<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

Dear Bill From Apache

I think that you didn't understand this vulnerability properly. I ask to to 
check again and run this exploit with Firefox. After running this exploit, 
change manually the ecnoding in Firefox to UTF-7.. You will see that the alert 
will jump up. There is no problem to trick the victim and force him to change 
the encoding of his browser by little social engineering. 

But if you, apache guys will set 403 page's charset in the server side by 
writing it in your server code, that will prevent this script running. In IE 
autoselect will work only if no charset was set to the page in server side. 


We know how to solve this problem and if you want we can help you...

Best Regards and with big respect to Apache

Yossi Yakubov (Yos)
&#1497;&#1493;&#1505;&#1497; &#1497;&#1506;&#1511;&#1493;&#1489;&#1493;&#1489;