Frank DENIS random thoughts.

A critical vulnerability in IE8 has disclosed a frightening vulnerability in Internet Explorer 8: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection.

That one is similar to an important issue that already affected Firefox and IE7.

But it looks like it hasn’t been fixed for good. If a web page doesn’t specify a charset, the browser can be tricked to load it with the charset of a malicious web site. And the deal is, that UTF7 doesn’t encode characters like brackets the same way as ASCII, UTF8 or Latin charsets. If a page is rendered as UTF7 while, server-side, XSS-prevention mechanisms aren’t aware that UTF7 is what the browser loaded the page as. And XSS-prevention mechanisms just become pointless, opening wide XSS holes.

Just read the scary details on the SecureThoughts web site.

And double check that every page you serve explicitely sents a charset.