Welcome! » Log In » Create A New Profile

extent of UTF-7 exploits?

Posted by nuttzy 
extent of UTF-7 exploits?
April 21, 2008 12:25PM

There's plenty of information on the net about concern in using UTF-7 to get around htmlentities when encoding for the page is not set. My question is, what browsers are vulnerable? Meaning, if I had a page where no charset was defined, which browsers would actually render the UTF-7 exploit.

EDIT: changed "now" to "not"

Re: extent of UTF-7 exploits?
April 21, 2008 12:30PM

As far as I can tell, Internet Explorer 6 was the only one, with Firefox 1.5 also doing so in rare cases of auto-detection.

Really, though, you don't need to worry about this if you're sending explicit character encodings.

Re: extent of UTF-7 exploits?
April 21, 2008 01:36PM

Great, thanks for the info. As for IE6, how bad was it? Do you know if it was exploitable by default or was setting Auto-Select required? Thanks again!

Re: extent of UTF-7 exploits?
April 21, 2008 01:37PM

Exploitable by default, I believe.

Re: extent of UTF-7 exploits?
April 22, 2008 01:11AM

Thanks!

Sorry, you do not have permission to post/reply in this forum.