[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] UTF7 a requirement?

From: "Chris Weber (Casaba Security)" <chris@xxxxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] UTF7 a requirement?
Date: Mon, 24 Mar 2008 14:58:36 -0800

Hi Robert, you're right, UTF-8 will support the full Unicode range of
characters/code points.  I think the UTF-7 encoding was part of the Unicode
Standard up to version 3.0 and hasn't been mentioned again since (currently
we're at Unicode Standard version 5.0).  The world majority went with UTF-8 as
the encoding of choice, and minus a few mail transports or IMAP clients that
might require UTF-7 (I don't know if there still are any or not), the Web in
general can be based on UTF-8.  But, since UTF-7 has been implemented in
popular browsers, servers, and other software, it's still ripe for
vulnerability research.

The flaws we've seen reported from Stefan Esser and examples from the XSS book
illustrate the main point - if an attacker can control the encoding, they can
make a UTF-7 exploit a practical reality.  Without those types of reminders,
UTF-7 based exploits might not appear valuable when everything on the web
talks UTF-8.

I know at least IIS and ASP.NET defaults to using UTF-8, and web.config
actually sets this as the default response header.  This after all seems to be
the best mitigation - don't let the user control the encoding, force it to UTF-8.

Chris


---------- Original Message ----------- 
 From: robert@xxxxxxxxxxxxx 
 To: websecurity@xxxxxxxxxxxxx 
 Sent: Mon, 24 Mar 2008 16:50:42 -0500 (EST) 
 Subject: [WEB SECURITY] UTF7 a requirement?

> Hello List, 
> 
> We've seen UTF7 based xss (example google
http://www.securiteam.com/securitynews/6Z00L0AEUE.html) exploited in the wild 
> and I'm wondering is there ever a situation where UTF7 is required for a
website to work? Are there certain charsets/languages 
> that will not render/function properly unless UTF7 is used (I'm thinking no)? 
> 
> It seems to me you could just set UTF8 as a requirement (specified in
headers/meta) and avoid these utf7 xss issues. Any 
> encoding ninja's care to comment? 
> 
> Regards, 
> - Robert 
> http://www.cgisecurity.com/ 
> http://www.webappsec.org/ 
> 
> ---------------------------------------------------------------------------- 
> Join us on IRC: irc.freenode.net #webappsec 
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/ 
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed] 
------- End of Original Message -------



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] UTF7 a requirement?
  - From: robert

Prev by Date: Re: [WEB SECURITY] UTF7 a requirement?
Next by Date: [WEB SECURITY] Query:Vulnerability assessment of Flash web application
Previous by thread: Re: [WEB SECURITY] UTF7 a requirement?
Next by thread: Re: [WEB SECURITY] UTF7 a requirement?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site