Bug#453783: apache2: CVE-2007-4465

Hi Paul,

On Saturday 01 December 2007, you wrote:
> > This is actually a bug in MSIE, see CVE-2006-5152.
>
> Not a bug in IE only, I have a demo that exploits it under Firefox.
> (In fact my demo does not seem to work for IE, yet...)

If you can exploit that with Firefox, Firefox should be fixed. Can you give more details? I would be very interested.

> Not really related to CVE-2006-5152. In fact that is a non-issue:
> the CVE references my posts, but fails to reference my retraction
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049
>828.html

Any broswer that interprets ascii as utf7 without being told to do so is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache. Your retraction was about Apache.

> > ... no plan to backport ... it is of low impact.
>
> I do not think that XSS and cookie theft (thus access to all data
> protected by web login) is of low impact.

If it affects only one buggy browser, it's low impact. And since the patch for the workaround is not that small (and is changing default behaviour and is adding a new config directive), I didn't want to backport it to stable. If it affects more browsers, I might reconsider.

> > ... setting AddDefaultCharset also protects from the issue.
> > AddDefaultCharset is on in the default configurations ...
>
> Thanks for that other workaround: yes it seems to protect my
> machines. Now I am puzzled why AddDefaultCharset was commented out
> in my configs. Still puzzled why Apache did not mention these
> workarounds.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

AddDefaultCharset has some often unwanted side effects. It overrides the charset in meta http-equiv tags. See

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397886 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=415775

It is not the default anymore in lenny and sid.

Cheers,
Stefan

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org