re: "set 403 page's charset in the server side by writing it in your server
code"
Apache *does* set the charset in the HTTP header. It is set to iso-8859-1 by
default.
Adding a tag with the iso-8859-1 charset does not change the
browser behavior. See below for the captured response from a
Hello Yossi,
I've read your previous messages and I'm not convinced.
> I think that you didn't understand this vulnerability properly. I ask
> to to check again and run this exploit with Firefox. After running this
> exploit, change manually the ecnoding in Firefox to UTF-7.. You will see
> that
Yossi Yakubov wrote in http://www.securityfocus.com/archive/1/492202 :
> if you, apache guys will set 403 page's charset ...
Done, as per http://www.securityfocus.com/archive/1/492094 :
>> All [current] releases include fixes ...
> ... change manually the ecnoding in Firefox to UTF-7 ... There i
Dear Bill From Apache
I think that you didn't understand this vulnerability properly. I ask to to
check again and run this exploit with Firefox. After running this exploit,
change manually the ecnoding in Firefox to UTF-7.. You will see that the alert
will jump up. There is no problem to trick
