Bug#453783: apache2: CVE-2007-4465
Dear Stefan,
> If you can exploit that with Firefox, Firefox should be fixed. Can you
> give more details? I would be very interested.
Will do, offline (because it affects the main web login site of my Uni).
Essentially, I found that Firefox will inherit the charset of the parent
page, when that had been selected manually (does not inherit the charset
specified in headers or meta). I guess this is a "new" bug in Firefox,
maybe they should be told...
> Any broswer that interprets ascii as utf7 without being told to do so
> is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache.
> Your retraction was about Apache.
So IE "encoding autoselect" is severely buggy: I almost agree.
Whatever people think CVE-2006-5152 is about, I meant my posts to be
about Apache. (No use trying to get MS to fix IE.)
> If it affects only one buggy browser, it's low impact. ...
If that buggy browser is IE, used by 90% of the (deluded) population,
then is it not low impact.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Reply to: