[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#453783: apache2: CVE-2007-4465



Dear Stefan,

> If you can exploit that with Firefox, Firefox should be fixed. Can you 
> give more details? I would be very interested.

Will do, offline (because it affects the main web login site of my Uni).
Essentially, I found that Firefox will inherit the charset of the parent
page, when that had been selected manually (does not inherit the charset
specified in headers or meta). I guess this is a "new" bug in Firefox,
maybe they should be told...

> Any broswer that interprets ascii as utf7 without being told to do so 
> is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache. 
> Your retraction was about Apache.

So IE "encoding autoselect" is severely buggy: I almost agree.

Whatever people think CVE-2006-5152 is about, I meant my posts to be
about Apache. (No use trying to get MS to fix IE.)

> If it affects only one buggy browser, it's low impact. ...

If that buggy browser is IE, used by 90% of the (deluded) population,
then is it not low impact.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Reply to: