There is a great debate on the bugtraq mailing list regarding the apache utf7 xss issue. In this debate
William Rowe (Apache) discusses why the Apache utf7 vulnerability is in fact not a vulnerability in Apache
but in Internet Explorer for not following specifications properly. William first posted to
bugtraq http://seclists.org/bugtraq/2008/May/0166.html
with the following
"Internet Explorer's autodetection of UTF-7 clearly violates this
specification, introducing the opportunity for myriad similar attacks.
These are literally everywhere on the web today, we can trust the kids
to continue to explore this vector until it is fixed by Microsoft. "
"However this vulnerability should clearly be labeled as a flaw in Internet
Explorer. If the browsers under your supervision continue to enable the
autodetection of UTF-7, your users remain at risk. As all ISO, UTF-8 and
related charsets were 7-bit clean, it's clear that Microsoft err'ed on
the side of accepting UTF-7 charset for automatic detection, contrary to
to the behavior dictated by RFC 2616. "
One of the apparent vuln researchers disagreed with william who responded at
his post
"We understand it quite well; we simply disagree on the context of which
is vulnerable, the Apache server which holds to RFC2616, or IE (and Firefox
apparently in some cases) which do not. Even allowing for the flexibility
of toggling between ISO, UTF-8 and other 7bit ascii-clean character sets,
the choice by IE and Firefox to violate the RFC in this manner accepting
by guesswork UTF-7 with no canonical definition of the basic HTML control
set clearly has broader implications. I trust as a researcher you can fill
your days for a good long time finding similarly vulnerable configurations
and applications, when in fact the origin of this problem lies in the client."
Apache does provide a workaround to protect users running Internet Explorer which is also outlined in the same post. Great
post I suggest reading for various reasons.
Email Thread Link: http://www.securityfocus.com/archive/1/492220/30/0/threaded
The XSS FAQ: The Cross-site Scripting FAQ
