Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

1 msg	[ GLSA 200805-08 ] InspIRCd: Denial of Service

Apache Server HTML Injection and UTF-7 XSS Vuln...
\ lament hero (9 May 2008)
. \ cxib (10 May 2008)
. \ yos20053 (12 May 2008)
. \ cxib (12 May 2008)
. \ lament hero (15 May 2008)
. \ Tom.Donovan (15 May 2008)

1 msg	[USN-611-3] GStreamer Good Plugins vulnerability
1 msg	[USN-611-2] vorbis-tools vulnerability
1 msg	FLEA-2008-0008-1 firefox
1 msg	[USN-611-1] Speex vulnerability
1 msg	ezContents CMS Version 2.0.0 SQL Injection Vuln...
1 msg	iDefense Security Advisory 05.07.08: Multiple V...
1 msg	ZYWALL Referer Header XSS Vulnerability
1 msg	iDefense Security Advisory 05.07.08: Multiple V...
1 msg	iDefense Security Advisory 05.07.08: Multiple V...
1 msg	[ GLSA 200805-04 ] eGroupWare: Multiple vulnera...
2 msg	Re: After 6 months - fix available for Microsof...
1 msg	Novell Client <= 4.91 SP4 Local Stack overfl...
9 msg	Exploiting Google MX servers as Open SMTP Relays
1 msg	Vulnerability in Multiple Web Application
1 msg	VBZooM <=V1.11 'reply.php' SQL Injection Vul...
1 msg	Multiple XSS In TuxCMS All Version
1 msg	[ GLSA 200805-03 ] Multiple X11 terminals: Loca...
1 msg	[USN-610-1] LTSP vulnerability

Subject:	Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
Group:	Bugtraq
From:	cxib
Date:	10 May 2008

Bogus.

cxib# curl -I "http://[host]/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvju dPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8 Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ%3 Cfont%20size=50%3EDEFACED%3C-script+AD4-alert('xss')+ADw-/script+AD4---//--"
HTTP/1.1 403 Forbidden
Date: Sat, 10 May 2008 09:51:22 GMT
Server: Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch mod_python/3.3.1 Python/2.4.5
Content-Type: text/html; charset=iso-8859-1

Content-Type is set.

Best Regards
Maksymilian Arciemowicz
securityreason.com