Bugtraq mailing list archives
Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
From: yos20053 () gmail com
Date: 17 May 2008 19:19:07 -0000
Dear Bill From Apache I think that you didn't understand this vulnerability properly. I ask to to check again and run this exploit with Firefox. After running this exploit, change manually the ecnoding in Firefox to UTF-7.. You will see that the alert will jump up. There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering. But if you, apache guys will set 403 page's charset in the server side by writing it in your server code, that will prevent this script running. In IE autoselect will work only if no charset was set to the page in server side. We know how to solve this problem and if you want we can help you... Best Regards and with big respect to Apache Yossi Yakubov (Yos) יוסי יעקובוב
Current thread:
- Apache Server HTML Injection and UTF-7 XSS Vulnerability lament hero (May 09)
- <Possible follow-ups>
- Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability cxib (May 10)
- Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability yos20053 (May 12)
- Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability cxib (May 12)
- Message not available
- Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability lament hero (May 15)
- Message not available
- Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Tom . Donovan (May 15)
- Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Jon Ribbens (May 16)
- Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability yos20053 (May 17)
- Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Paul Szabo (May 19)
- Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Tim (May 19)
- Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability William A. Rowe, Jr. (May 19)
- Re: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Tom . Donovan (May 19)