[Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
Paul Schmehl
pauls at utdallas.edu
Mon Oct 2 18:41:32 BST 2006
--On October 2, 2006 9:44:27 AM -0400 Brian Eaton <eaton.lists at gmail.com>
wrote:
>
> I'm guessing that you tested a server wth some kind of customized 404
> response that neglected to include a charset specification. That's
> not a vulnerability in Apache, that is poor site configuration.
>
Brian, a question for clarification. When you say "customized 404
response", you are not referring to a customized error document (as
described briefly in the httpd.conf file) but rather to having changed the
headers that the server returns when queried with a GET request, correct?
And wouldn't this require changing source code and compiling a custom
build of apache?
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 4085 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061002/632e8dfd/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.