Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

From: <Tom.Donovan_at_acm.org>
Date: 14 May 2008 17:20:52 -0000

('binary' encoding is not supported, stored as-is) Setting the HTTP response header:
Content-Type: text/html; charset=iso-8859-1

or adding the tag:
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

or even both - still does not deter IE from scanning the contents and interpreting them as UTF-7 when Encoding=Auto-Select.
(observed on w2k with IE 6.0.2800.1106 SP1 + Q867801 + Q823353 + Q833989 + Q903235)

It appears there is little that web servers can do to thwart this, short of changing all '+' characters to %2B. That seems excessive.

-tom-
Received on May 15 2008

This message: [ Message body ]
Next message: Walker, Theresa A CIV DISA CSD: "RE: Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities (UNCLASSIFIED)"
Previous message: Robbie (Rupinder) Gill: "Aruba Mobility Controller TACACS User Authentication and Cross Site Scripting Vulnerabilities (Aruba Advisory ID: AID-051408)"
Maybe in reply to: yos20053_at_gmail.com: "Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability"
Reply: Jon Ribbens: "Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]