Re: [WEB SECURITY] UTF7 a requirement?

["Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>]

Hey Robert -- Ah, this fun subject. I am *still* seeing UTF-7 around too.

7 bit encodings are still used by some old protocols and
client/severs, like old mail systems, for a variety of reasons. Joel
Spolsky has a great rant about this on his blog, if one is interested
in some legacy *whys*.

I still see UTF-7 used on systems where they've glued their web code
together with some legacy mail or 7 bit lazy encoded app on a
mainframe datasource.

Some quick facts for those who care:

+ You mostly care about this with IE (for exploitation)

+ Some applications do weird transcodings from between deprecated ISO
formats (iso-8859) and things like UTF-8 or specific international
language code pages, and then you have even more issues (like
malformed UTF-7 or US-ASCII)

+ IE auto mime detection works under a heirarchy of 5 conditions.
Search "Internet Explorer auto mime sniffing" and you'll find most of
the related documentation. Having trouble finding the link now;
msdn.microsoft.com doesn't render well in FF 2. + OS X 1.5.

+ In the case of IE, you possibly wind up in control of the content if
you land in the first 200 or 256 bytes of the page. The length depends
on the header settings plus mime-sniff conditions; they are different
depending on whether or not Content Type and Content Disposition are
defined but wrong, unknown, or are ambiguous.

+ If the web server doesn't set the encoding type at all for some
reason, you have the best chance of altering this, both with regards
to Content and Disposition/Encoding:

Instead of:

Content-Type: text/html; charset=iso-8859-1

--or--

Content-Type: text/html; charset=UTF-8

you see:

Content-Type: text/html

-or-

Content-Type: (blank)

Then you can have some fun.

Web Servers (like IIS) usually define a legacy (ISO 8859) charset, if
anything. They don't care much about content, unless you tell them to.

Modern frameworks, like .NET, and other new J2EE and Rails type MVC
setups tend to enforce UTF-8 out of the box, which is smart.

-- 
Arian Evans, software security stuff

reformed hacker turned animal rights activist to meet hot chicks
concerned with those tasty animals




On Mon, Mar 24, 2008 at 2:50 PM,  <robert@xxxxxxxxxxxxx> wrote:
> Hello List,
>
>  We've seen UTF7 based xss (example google http://www.securiteam.com/securitynews/6Z00L0AEUE.html) exploited in the wild
>  and I'm wondering is there ever a situation where UTF7 is required for a website to work? Are there certain charsets/languages
>  that will not render/function properly unless UTF7 is used (I'm thinking no)?
>
>  It seems to me you could just set UTF8 as a requirement (specified in headers/meta) and avoid these utf7 xss issues. Any
>  encoding ninja's care to comment?
>
>  Regards,
>  - Robert
>  http://www.cgisecurity.com/
>  http://www.webappsec.org/
>
>
>  ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>
>  Have a question? Search The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/
>
>  Subscribe via RSS:
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]