[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] UTF7 a requirement?

From: Daniel Papasian <daniel@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] UTF7 a requirement?
Date: Mon, 24 Mar 2008 18:50:30 -0400

robert@xxxxxxxxxxxxx wrote:

Hello List,
We've seen UTF7 based xss (example google http://www.securiteam.com/securitynews/6Z00L0AEUE.html) exploited in the wild
and I'm wondering is there ever a situation where UTF7 is required for a website to work? Are there certain charsets/languages
that will not render/function properly unless UTF7 is used (I'm thinking no)?
It seems to me you could just set UTF8 as a requirement (specified in headers/meta) and avoid these utf7 xss issues. Any encoding ninja's care to comment?

Any unicode point can be encoded as either UTF-7 or UTF-8. The only advantage UTF-7 has over UTF-8 is that it's 7 bit safe, so if you need to send it through anything really archaic that is using the 8th bit for its own nefarious purposes, UTF-7 is the only safe way of doing it.

Are there any means of fetching a website that aren't 8-bit safe? Probably, if you're using an HTTP to email gateway (as odd as this sounds, I believe RMS still uses these) and an archaic (not sure how many of those are operational, but I'd guess the number is small) email system. Would those people have equipment that groks UTF-7? Probably not, but you never know.

As for avoiding XSS issues by setting the header to UTF-8, I wouldn't bet on it, because browsers - especially IE - have a very bad habit of automatically detecting character sets for you, I believe even if you don't ask for it, and even if the server is pretty clear about what the content is. Years of sloppy handling of character sets by servers and authors and the Postel principle caused this problem, and the only really safe thing to do is have your website safe no matter what character set the browser decides to use to parse it.

Daniel
http://papasian.org/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] UTF7 a requirement?
  - From: robert

Prev by Date: [WEB SECURITY] UTF7 a requirement?
Next by Date: Re: [WEB SECURITY] UTF7 a requirement?
Previous by thread: [WEB SECURITY] UTF7 a requirement?
Next by thread: Re: [WEB SECURITY] UTF7 a requirement?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site