Bug#453783: apache2: CVE-2007-4465
Hi Paul,
On Saturday 01 December 2007, you wrote:
> > This is actually a bug in MSIE, see CVE-2006-5152.
>
> Not a bug in IE only, I have a demo that exploits it under Firefox.
> (In fact my demo does not seem to work for IE, yet...)
If you can exploit that with Firefox, Firefox should be fixed. Can you
give more details? I would be very interested.
> Not really related to CVE-2006-5152. In fact that is a non-issue:
> the CVE references my posts, but fails to reference my retraction
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049
>828.html
Any broswer that interprets ascii as utf7 without being told to do so
is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache.
Your retraction was about Apache.
> > ... no plan to backport ... it is of low impact.
>
> I do not think that XSS and cookie theft (thus access to all data
> protected by web login) is of low impact.
If it affects only one buggy browser, it's low impact. And since the
patch for the workaround is not that small (and is changing default
behaviour and is adding a new config directive), I didn't want to
backport it to stable. If it affects more browsers, I might
reconsider.
> > ... setting AddDefaultCharset also protects from the issue.
> > AddDefaultCharset is on in the default configurations ...
>
> Thanks for that other workaround: yes it seems to protect my
> machines. Now I am puzzled why AddDefaultCharset was commented out
> in my configs. Still puzzled why Apache did not mention these
> workarounds.
AddDefaultCharset has some often unwanted side effects. It overrides
the charset in meta http-equiv tags. See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397886
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=415775
It is not the default anymore in lenny and sid.
Cheers,
Stefan
Reply to: