re: "set 403 page's charset in the server side by writing it in your server code"
Apache *does* set the charset in the HTTP header. It is set to iso-8859-1 by default.
Adding a <meta http-equiv> tag with the iso-8859-1 charset does not change the browser behavior. See below for the captured response from a test with this change.
The user can still manually override the charset to UTF-7 via the browser menu, regardless of anything the Apache server sends.
re: "There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering"
For the Apache 403 error page, the only opportunity to "trick" the victim is within the URL itself. It would be quite a feat of social engineering to do this within a URL, between the phrases "You don't have permission to access" and "on this server".
There are many possible malicious strings in UTF-7, and any sequence of character values less than 0x80 starting with a "+" is potentially a UTF-7 string. This is why it is not appropriate for browsers to automatically interpret text as UTF-7. Preventing a user from manually overriding the specified charset and interpreting strings as UTF-7 is not something a web server can do. If you feel this manual function should be disabled in browsers, it may be better to let the browser developers know.
re: percent-encoding the "+" character in URLs
The "+" character is a reserved character in URIs per RFC2396 (see section 2.2 Reserved Characters). RFC3986 goes further and explains why reserved characters like "+" should not be percent-encoded:
"Percent-encoding a reserved character, or decoding a percent-encoded octet
that corresponds to a reserved character, will change how the URI is
interpreted by most applications. Thus, characters in the reserved
set are protected from normalization and are therefore safe to be
used by scheme-specific and producer-specific algorithms for
delimiting data subcomponents within a URI."
A previous writer has correctly noted that Microsoft recommends just the opposite: that "+" characters should be percent-encoded.
Below are the responses to your test URL from various versions of Apache servers on different platforms. Note that the iso-8859-1 charset is specified by the Content-Type header in all cases. The last example is with Apache 2.2.8 modified to include a <meta http-equiv> tag in the body. The behavior remains the same in both Firefox or IE with this change.
It is a problem for web server developers when a vulnerability is accepted and propagated with a description like:
"here is a malicious URL - the victim must perform these manual steps with it - We leave it to other hackers to upgrade the attack and make it fully automatic."
It is a disappointment that CVE-2008-2168 was accepted so uncritically.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTN
eK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEc
o8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz
1olPh5jZ<font size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---
//--
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at localhost Port 80</ADDRESS>
Apache *does* set the charset in the HTTP header. It is set to iso-8859-1 by default.
Adding a <meta http-equiv> tag with the iso-8859-1 charset does not change the browser behavior. See below for the captured response from a test with this change.
The user can still manually override the charset to UTF-7 via the browser menu, regardless of anything the Apache server sends.
re: "There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering"
For the Apache 403 error page, the only opportunity to "trick" the victim is within the URL itself. It would be quite a feat of social engineering to do this within a URL, between the phrases "You don't have permission to access" and "on this server".
There are many possible malicious strings in UTF-7, and any sequence of character values less than 0x80 starting with a "+" is potentially a UTF-7 string. This is why it is not appropriate for browsers to automatically interpret text as UTF-7. Preventing a user from manually overriding the specified charset and interpreting strings as UTF-7 is not something a web server can do. If you feel this manual function should be disabled in browsers, it may be better to let the browser developers know.
re: percent-encoding the "+" character in URLs
The "+" character is a reserved character in URIs per RFC2396 (see section 2.2 Reserved Characters). RFC3986 goes further and explains why reserved characters like "+" should not be percent-encoded:
"Percent-encoding a reserved character, or decoding a percent-encoded octet
that corresponds to a reserved character, will change how the URI is
interpreted by most applications. Thus, characters in the reserved
set are protected from normalization and are therefore safe to be
used by scheme-specific and producer-specific algorithms for
delimiting data subcomponents within a URI."
A previous writer has correctly noted that Microsoft recommends just the opposite: that "+" characters should be percent-encoded.
Below are the responses to your test URL from various versions of Apache servers on different platforms. Note that the iso-8859-1 charset is specified by the Content-Type header in all cases. The last example is with Apache 2.2.8 modified to include a <meta http-equiv> tag in the body. The behavior remains the same in both Firefox or IE with this change.
It is a problem for web server developers when a vulnerability is accepted and propagated with a description like:
"here is a malicious URL - the victim must perform these manual steps with it - We leave it to other hackers to upgrade the attack and make it fully automatic."
It is a disappointment that CVE-2008-2168 was accepted so uncritically.
Regards,
-tom-
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:25:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 590
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTN
eK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEc
o8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz
1olPh5jZ<font size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---
//--
on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at www.example.com Port 80</address>
</body></html>
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:37:17 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 510
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTN
eK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEc
o8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz
1olPh5jZ<font size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---
//--
on this server.</p>
</body></html>
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:47:29 GMT
Server: Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch mod_python/3.3.1 Python/2.4.5
Content-Length: 666
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTN
eK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEc
o8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz
1olPh5jZ<font size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---
//--
on this server.</p>
<hr>
<address>Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch mod_python/3.3.1 Python/2.4.5 Server at www.victim.com Port 80</address>
</body></html>
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 04:45:49 GMT
Server: Apache/1.3.33 (Unix)
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
23c
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTN
eK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEc
o8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz
1olPh5jZ<font size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---
//--
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at localhost Port 80</ADDRESS>
</BODY></HTML>
0
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:53:10 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 583
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTN
eK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEc
o8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz
1olPh5jZ<font size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---
//--
on this server.</p>
</body></html>
[ reply ]