Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

From: <yos20053_at_gmail.com>
Date: 10 May 2008 20:59:36 -0000

('binary' encoding is not supported, stored as-is) Content type is set in Response header
but not in the HTML meta tag - for example
there is no definition like <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">!!!

That is the reason why it is still a vulnerability and was tested hundred times and still works.
The solution is to set encoding for the response in when rendering the page, for example in asp you write Response.charset = "iso-8859-1"

Best Regards

Yossi Yakubov - (Yos)
Received on May 12 2008

This message: [ Message body ]
Next message: Thijs Kinkhorst: "[SECURITY] [DSA 1573-1] New rdesktop packages fix several vulnerabilities"
Previous message: Pierre-Yves Rofes: "[ GLSA 200805-09 ] MoinMoin: Privilege escalation"
Maybe in reply to: William A. Rowe, Jr.: "Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability"
Maybe reply: cxib_at_securityreason.com: "Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability"
Maybe reply: Tom.Donovan_at_acm.org: "Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]