Bug#453783: apache2: CVE-2007-4465

To: Paul Szabo <psz@maths.usyd.edu.au>
Subject: Bug#453783: apache2: CVE-2007-4465
From: Stefan Fritsch <sf@sfritsch.de>
Date: Tue, 4 Dec 2007 22:43:26 +0100
Message-id: <[🔎] 200712042243.27130.sf@sfritsch.de>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 453783@bugs.debian.org
In-reply-to: <[🔎] 200712011947.lB1JlFAZ012480@asti.maths.usyd.edu.au>
References: <[🔎] 200712011947.lB1JlFAZ012480@asti.maths.usyd.edu.au>

Dear Paul,

thanks for the information.

On Saturday 01 December 2007, you wrote:
> > If you can exploit that with Firefox, Firefox should be fixed.
> > Can you give more details? I would be very interested.
>
> Will do, offline (because it affects the main web login site of my
> Uni). Essentially, I found that Firefox will inherit the charset of
> the parent page, when that had been selected manually (does not
> inherit the charset specified in headers or meta). I guess this is
> a "new" bug in Firefox, maybe they should be told...

This would require some social engineering but could probably be  
exploited in some cases. I think reporting it to the Firefox bugzilla 
would be a good idea.

> > If it affects only one buggy browser, it's low impact. ...
>
> If that buggy browser is IE, used by 90% of the (deluded)
> population, then is it not low impact.

I have commited the patch to our SVN repository for etch. It will 
probably be released with etch r3 (or maybe r2, if that is delayed 
further). I still do not think it is important enough for a security 
advisory.

Cheers,
Stefan

Reply to:

References:
- Bug#453783: apache2: CVE-2007-4465
  - From: Paul Szabo <psz@maths.usyd.edu.au>

Prev by Date: 成.为.优.秀.部.门.主.管.经.理.专.题 uxftk
Next by Date: Processed: severity of 453783 is important, user debian-release@lists.debian.org, usertagging 453783 ...
Previous by thread: Bug#453783: apache2: CVE-2007-4465
Next by thread: Bug#453783: apache2: CVE-2007-4465
Index(es):
- Date
- Thread