BugTraq
Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability May 17 2008 07:19PM
yos20053 gmail com (3 replies)
Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSSVulnerability May 17 2008 10:55PM
Tim (tim-security sentinelchicken org)
Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability May 17 2008 10:12PM
Paul Szabo (psz maths usyd edu au)
Yossi Yakubov wrote in http://www.securityfocus.com/archive/1/492202 :

> if you, apache guys will set 403 page's charset ...

Done, as per http://www.securityfocus.com/archive/1/492094 :
>> All [current] releases include fixes ...

> ... change manually the ecnoding in Firefox to UTF-7 ... There is no
> problem to trick the victim and force him to change the encoding of
> his browser by little social engineering.

See https://bugzilla.mozilla.org/show_bug.cgi?id=408457 about how this
can be better exploited.

Cheers,

Paul Szabo psz (at) maths.usyd.edu (dot) au [email concealed] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

[ reply ]
Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability May 17 2008 10:10PM
William A. Rowe, Jr. (wrowe rowe-clan net)


 

Privacy Statement
Copyright 2010, SecurityFocus