SecureThoughts.com has disclosed a frightening vulnerability in Internet Explorer 8: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection.
That one is similar to an important issue that already affected Firefox and IE7.
But it looks like it hasn’t been fixed for good. If a web page doesn’t specify a charset, the browser can be tricked to load it with the charset of a malicious web site. And the deal is, that UTF7 doesn’t encode characters like brackets the same way as ASCII, UTF8 or Latin charsets. If a page is rendered as UTF7 while, server-side, XSS-prevention mechanisms aren’t aware that UTF7 is what the browser loaded the page as. And XSS-prevention mechanisms just become pointless, opening wide XSS holes.
Just read the scary details on the SecureThoughts web site.
And double check that every page you serve explicitely sents a charset.