[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] UTF7 a requirement?

From: robert@xxxxxxxxxxxxx
Subject: [WEB SECURITY] UTF7 a requirement?
Date: Mon, 24 Mar 2008 16:50:42 -0500 (EST)

Hello List,

We've seen UTF7 based xss (example google http://www.securiteam.com/securitynews/6Z00L0AEUE.html) exploited in the wild
and I'm wondering is there ever a situation where UTF7 is required for a website to work? Are there certain charsets/languages
that will not render/function properly unless UTF7 is used (I'm thinking no)?

It seems to me you could just set UTF8 as a requirement (specified in headers/meta) and avoid these utf7 xss issues. Any
encoding ninja's care to comment? 

Regards,
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] UTF7 a requirement?
  - From: Daniel Papasian
- Re: [WEB SECURITY] UTF7 a requirement?
  - From: Chris Weber (Casaba Security)
- Re: [WEB SECURITY] UTF7 a requirement?
  - From: Arian J. Evans
- Re: [WEB SECURITY] UTF7 a requirement?
  - From: HASEGAWA Yosuke
- RE: [WEB SECURITY] UTF7 a requirement?
  - From: Alex Stamos

Prev by Date: [WEB SECURITY] i want badstore.net cookbook/tutorials
Next by Date: Re: [WEB SECURITY] UTF7 a requirement?
Previous by thread: [WEB SECURITY] i want badstore.net cookbook/tutorials
Next by thread: Re: [WEB SECURITY] UTF7 a requirement?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site