Bug#453783: apache2: CVE-2007-4465

To: sf@sfritsch.de
Cc: 453783@bugs.debian.org
Subject: Bug#453783: apache2: CVE-2007-4465
From: Paul Szabo <psz@maths.usyd.edu.au>
Date: Sun, 2 Dec 2007 06:47:15 +1100
Message-id: <[🔎] 200712011947.lB1JlFAZ012480@asti.maths.usyd.edu.au>
Reply-to: Paul Szabo <psz@maths.usyd.edu.au>, 453783@bugs.debian.org
In-reply-to: <[🔎] 200712011247.24423.sf@sfritsch.de>

Dear Stefan,

> If you can exploit that with Firefox, Firefox should be fixed. Can you 
> give more details? I would be very interested.

Will do, offline (because it affects the main web login site of my Uni).
Essentially, I found that Firefox will inherit the charset of the parent
page, when that had been selected manually (does not inherit the charset
specified in headers or meta). I guess this is a "new" bug in Firefox,
maybe they should be told...

> Any broswer that interprets ascii as utf7 without being told to do so 
> is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache. 
> Your retraction was about Apache.

So IE "encoding autoselect" is severely buggy: I almost agree.

Whatever people think CVE-2006-5152 is about, I meant my posts to be
about Apache. (No use trying to get MS to fix IE.)

> If it affects only one buggy browser, it's low impact. ...

If that buggy browser is IE, used by 90% of the (deluded) population,
then is it not low impact.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply to:

Follow-Ups:
- Bug#453783: apache2: CVE-2007-4465
  - From: Stefan Fritsch <sf@sfritsch.de>

References:
- Bug#453783: apache2: CVE-2007-4465
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Bug#453783: apache2: CVE-2007-4465
Next by Date: [bts-link] source package apache2
Previous by thread: Bug#453783: apache2: CVE-2007-4465
Next by thread: Bug#453783: apache2: CVE-2007-4465
Index(es):
- Date
- Thread