There is a great debate on the bugtraq mailing list regarding the apache utf7 xss issue. In this debate William Rowe (Apache) discusses why the Apache utf7 vulnerability is in fact not a vulnerability in Apache but in Internet Explorer for not following specifications properly. William first posted to bugtraq http://seclists.org/bugtraq/2008/May/0166.html with the following
"Internet Explorer's autodetection of UTF-7 clearly violates this specification, introducing the opportunity for myriad similar attacks. These are literally everywhere on the web today, we can trust the kids to continue to explore this vector until it is fixed by Microsoft. "
"However this vulnerability should clearly be labeled as a flaw in Internet Explorer. If the browsers under your supervision continue to enable the autodetection of UTF-7, your users remain at risk. As all ISO, UTF-8 and related charsets were 7-bit clean, it's clear that Microsoft err'ed on the side of accepting UTF-7 charset for automatic detection, contrary to to the behavior dictated by RFC 2616. "
One of the apparent vuln researchers disagreed with william who responded at his post
"We understand it quite well; we simply disagree on the context of which is vulnerable, the Apache server which holds to RFC2616, or IE (and Firefox apparently in some cases) which do not. Even allowing for the flexibility of toggling between ISO, UTF-8 and other 7bit ascii-clean character sets, the choice by IE and Firefox to violate the RFC in this manner accepting by guesswork UTF-7 with no canonical definition of the basic HTML control set clearly has broader implications. I trust as a researcher you can fill your days for a good long time finding similarly vulnerable configurations and applications, when in fact the origin of this problem lies in the client."
Apache does provide a workaround to protect users running Internet Explorer which is also outlined in the same post. Great post I suggest reading for various reasons.
Email Thread Link: http://www.securityfocus.com/archive/1/492220/30/0/threaded
The XSS FAQ: The Cross-site Scripting FAQ