lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 14 May 2008 17:20:52 -0000 From: Tom.Donovan@....org To: bugtraq@...urityfocus.com Subject: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability Setting the HTTP response header: Content-Type: text/html; charset=iso-8859-1 or adding the tag: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> or even both - still does not deter IE from scanning the contents and interpreting them as UTF-7 when Encoding=Auto-Select. (observed on w2k with IE 6.0.2800.1106 SP1 + Q867801 + Q823353 + Q833989 + Q903235) It appears there is little that web servers can do to thwart this, short of changing all '+' characters to %2B. That seems excessive. -tom-