Bugtraq mailing list archives
Further Correction to BID 29112 "Apache Server HTML Injection and UTF-7 XSS Vulnerability"
From: "William A. Rowe, Jr." <wrowe () rowe-clan net>
Date: Mon, 09 Jun 2008 16:07:02 -0500
William A. Rowe, Jr. wrote:
With respect to http://www.securityfocus.com/bid/29112 All releases after Jan 2 include fixes across the board to add an explicit charset iso-8859-1 to the built in Apache HTTP modules to compensate for Microsoft's vulnerability, including released versions 2.2.8, 2.0.63, and 1.3.41. This does not affect third party modules you may be loading, applications hosted-on or proxied-through HTTP Server, etc.
Having reviewed the vulnerability history again, those versions corrected the unexploitable bug which echoed the supplied HTTP method (CVE-2007-6203). In fact, the 1.3.34. 2.0.55 and all 2.2 releases resolved the Apache flawand tag all canned error responses with charset=iso-8859-1, as identified by lament hero with bid 29112. So why would he be so clueless as to report
these later versions as affected? Simply, by observation. My colleague Adam Qualset of Covalent has researched and confirmed that all versions of IE are exploitable with UTF-7 in the presence of a Content-type charset field. As originally cited...
However this vulnerability should clearly be labeled as a flaw in Internet Explorer. If the browsers under your supervision continue to enable the autodetection of UTF-7, your users remain at risk. As all ISO, UTF-8 and related charsets were 7-bit clean, it's clear that Microsoft err'ed on the side of accepting UTF-7 charset for automatic detection, contrary to to the behavior dictated by RFC 2616.
So this statement stands, and exploits even via IIS itself should be trivial to construct for the enthusiastic student. I encourage the securityfocus team to update this vulnerability report appropriately, and also please note that the cited homepage for References should be http://httpd.apache.org/ with respect to any Apache HTTP Server issues. Many thanks, Bill
Current thread:
- Further Correction to BID 29112 "Apache Server HTML Injection and UTF-7 XSS Vulnerability" William A. Rowe, Jr. (Jun 09)