Further Correction to BID 29112 "Apache Server HTML Injection and UTF-7 XSS Vulnerability"

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Further Correction to BID 29112 "Apache Server HTML Injection and UTF-7 XSS Vulnerability"
From: "William A. Rowe, Jr." <wrowe@xxxxxxxxxxxxx>
Date: Mon, 09 Jun 2008 16:07:02 -0500
In-reply-to: <482B2137.4080501@xxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <c9bdf4660805110109m654062f3me86818a5b86d94f2@xxxxxxxxxxxxxx> <482B2137.4080501@xxxxxxxxxxxxx>
User-agent: Thunderbird 2.0.0.14 (X11/20080501)

William A. Rowe, Jr. wrote:

With respect to http://www.securityfocus.com/bid/29112

All releases after Jan 2 include fixes across the board to add an explicit
charset iso-8859-1 to the built in Apache HTTP modules to compensate for
Microsoft's vulnerability, including released versions 2.2.8, 2.0.63, and
1.3.41.  This does not affect third party modules you may be loading,
applications hosted-on or proxied-through HTTP Server, etc.


Having reviewed the vulnerability history again, those versions corrected
the unexploitable bug which echoed the supplied HTTP method (CVE-2007-6203).

In fact, the 1.3.34. 2.0.55 and all 2.2 releases resolved the Apache flaw

and tag all canned error responses with charset=iso-8859-1, as identified bylament hero with bid 29112. So why would he be so clueless as to report

these later versions as affected?  Simply, by observation.

My colleague Adam Qualset of Covalent has researched and confirmed that all
versions of IE are exploitable with UTF-7 in the presence of a Content-type
charset field.  As originally cited...

However this vulnerability should clearly be labeled as a flaw in Internet
Explorer.  If the browsers under your supervision continue to enable the
autodetection of UTF-7, your users remain at risk.  As all ISO, UTF-8 and
related charsets were 7-bit clean, it's clear that Microsoft err'ed on
the side of accepting UTF-7 charset for automatic detection, contrary to
to the behavior dictated by RFC 2616.


So this statement stands, and exploits even via IIS itself should be trivial
to construct for the enthusiastic student.

I encourage the securityfocus team to update this vulnerability report
appropriately, and also please note that the cited homepage for References
should be http://httpd.apache.org/ with respect to any Apache HTTP Server
issues.

Many thanks,

Bill

References:
- Correction to BID 29112 "Apache Server HTML Injection and UTF-7 XSS Vulnerability"
  - From: William A. Rowe, Jr.

Prev by Date: [SECURITY] [DSA 1593-1] New tomcat5.5 packages cross-site scripting
Next by Date: [web-app] Tornado Knowledge Retrieval System <= 4.2 Remote XSS Vulnerability
Previous by thread: Correction to BID 29112 "Apache Server HTML Injection and UTF-7 XSS Vulnerability"
Next by thread: [ GLSA 200805-16 ] OpenOffice.org: Multiple vulnerabilities
Index(es):
- Date
- Thread