Tem um grande debate na lista bugtraq falando se o apache e vulneravel a um ataque de (XSS) utf7. William Rowe (Apache Team) explica porque o Apache nao esta vulneravel a este ataque mais o Interner Explorer sim. O primeiro post do William ele diz o seguinte: http://seclists.org/bugtraq/2008/May/0166.html
“Internet Explorer’s autodetection of UTF-7 clearly violates this specification, introducing the opportunity for myriad similar attacks. These are literally everywhere on the web today, we can trust the kids to continue to explore this vector until it is fixed by Microsoft. ”
“However this vulnerability should clearly be labeled as a flaw in Internet Explorer. If the browsers under your supervision continue to enable the autodetection of UTF-7, your users remain at risk. As all ISO, UTF-8 and related charsets were 7-bit clean, it’s clear that Microsoft err’ed on the side of accepting UTF-7 charset for automatic detection, contrary to to the behavior dictated by RFC 2616. ”
Vale apena conferir.
Email Thread Link: http://www.securityfocus.com/archive/1/492220/30/0/threaded
Related Articles
No user responded in this post
Leave A Reply