Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
From: Paul Szabo <psz () maths usyd edu au>
Date: Sun, 18 May 2008 08:12:20 +1000

Yossi Yakubov wrote in http://www.securityfocus.com/archive/1/492202 :

if you, apache guys will set 403 page's charset ...

Done, as per http://www.securityfocus.com/archive/1/492094 :
All [current] releases include fixes ...

... change manually the ecnoding in Firefox to UTF-7 ... There is no
problem to trick the victim and force him to change the encoding of
his browser by little social engineering.

See https://bugzilla.mozilla.org/show_bug.cgi?id=408457 about how this
can be better exploited.


Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]