Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, yos20053@xxxxxxxxx
Subject: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
From: Paul Szabo <psz@xxxxxxxxxxxxxxxxx>
Date: Sun, 18 May 2008 08:12:20 +1000
In-reply-to: <20080517191907.3464.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Yossi Yakubov wrote in http://www.securityfocus.com/archive/1/492202 :

> if you, apache guys will set 403 page's charset ...

Done, as per http://www.securityfocus.com/archive/1/492094 :
>> All [current] releases include fixes ...

> ... change manually the ecnoding in Firefox to UTF-7 ... There is no
> problem to trick the victim and force him to change the encoding of
> his browser by little social engineering.

See https://bugzilla.mozilla.org/show_bug.cgi?id=408457 about how this
can be better exploited.

Cheers,

Paul Szabo   psz@xxxxxxxxxxxxxxxxx   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

References:
- Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
  - From: yos20053

Prev by Date: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Next by Date: Cpanel all version >> root access with a reseller account.
Previous by thread: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Next by thread: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Index(es):
- Date
- Thread