[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#453783: apache2: CVE-2007-4465



Hi Paul,

On Saturday 01 December 2007, you wrote:
> > This is actually a bug in MSIE, see CVE-2006-5152.
>
> Not a bug in IE only, I have a demo that exploits it under Firefox.
> (In fact my demo does not seem to work for IE, yet...)

If you can exploit that with Firefox, Firefox should be fixed. Can you 
give more details? I would be very interested.

> Not really related to CVE-2006-5152. In fact that is a non-issue:
> the CVE references my posts, but fails to reference my retraction
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049
>828.html

Any broswer that interprets ascii as utf7 without being told to do so 
is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache. 
Your retraction was about Apache.

> > ... no plan to backport ... it is of low impact.
>
> I do not think that XSS and cookie theft (thus access to all data
> protected by web login) is of low impact.

If it affects only one buggy browser, it's low impact. And since the 
patch for the workaround is not that small (and is changing default 
behaviour and is adding a new config directive), I didn't want to 
backport it to stable. If it affects more browsers, I might 
reconsider.

> > ... setting AddDefaultCharset also protects from the issue.
> > AddDefaultCharset is on in the default configurations ...
>
> Thanks for that other workaround: yes it seems to protect my
> machines. Now I am puzzled why AddDefaultCharset was commented out
> in my configs. Still puzzled why Apache did not mention these
> workarounds.

AddDefaultCharset has some often unwanted side effects. It overrides 
the charset in meta http-equiv tags. See

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397886
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=415775

It is not the default anymore in lenny and sid.

Cheers,
Stefan




Reply to: