XSS with UTF-7 in Google
XSS with UTF-7 was found in www.google.com (already fixed).
Although charset was specified in HTTP response header, but
charset-name was incorrect so XSS occurred.
PoC:
http://www.google.com/search?hl=enoe=cp932q=%2BADw-script%2BAD4-alert(
- Idiomatic expression of EUC-JP
jis - Idiomatic expression of ISO-2022-JP
MS932 / MS932 / CP942C - Comparable encodings to Shift_JIS on Java
Windows-31J - IANA registered name for Codepage 932, but not
registered in Windows.
Status:
Nov 16 2007 reported to Yahoo and was fixed immediately.
--
HASEGAWA
cannot be understood, IE6 starts deciding
file type by the Content-Disposition header.
Then, it can be prevented from being judged file type as HTML
by PATH_INFO with adding Content-Disposition header such as:
Content-Disposition: inline; filename=a.xml
--
HASEGAWA Yosuke
[EMAIL PROTECTED
that the malware which used this
trick is distributed through a Winny the most famous P2P
software in Japan - network.
Execution of malware by this trick can be prevented by
restricting execution of the file which contains RLO in
a filename,using group (or local) policy.
--
HASEGAWA Yosuke
hoshikuzu|star_dust who told me the problem that
it is introduced to the public in 2004 existing for 2006 years even in
the moment, the offer of PoC, and various information.
--
HASEGAWA Yosuke
yosuke.hasegawa at gmail.com
Microsoft MVP for Windows - Security (Oct 2005 - Sep 2007
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
--
HASEGAWA Yosuke
[EMAIL PROTECTED
/functions/findmimefromdata.asp
Of course, a result may become mismatch by the browser and
server side.
Or, adding Content-Disposition: attachment for response header,
It can be used to prevent executing script on browser directly.
--
HASEGAWA Yosuke
[EMAIL PROTECTED
.
There for, It is possible for this to prevent trying to steal the
contents of your server via mhtml redirection.
--
HASEGAWA Yosuke
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted