[WEB SECURITY] UTF7 a requirement?

Daniel Papasian daniel at papasian.org
Mon Mar 24 18:50:30 EDT 2008 

robert at webappsec.org wrote:
> Hello List,
> 
> We've seen UTF7 based xss (example google http://www.securiteam.com/securitynews/6Z00L0AEUE.html) exploited in the wild
> and I'm wondering is there ever a situation where UTF7 is required for a website to work? Are there certain charsets/languages
> that will not render/function properly unless UTF7 is used (I'm thinking no)?
> 
> It seems to me you could just set UTF8 as a requirement (specified in headers/meta) and avoid these utf7 xss issues. Any
> encoding ninja's care to comment? 

Any unicode point can be encoded as either UTF-7 or UTF-8.  The only 
advantage UTF-7 has over UTF-8 is that it's 7 bit safe, so if you need 
to send it through anything really archaic that is using the 8th bit for 
its own nefarious purposes, UTF-7 is the only safe way of doing it.

Are there any means of fetching a website that aren't 8-bit safe? 
Probably, if you're using an HTTP to email gateway (as odd as this 
sounds, I believe RMS still uses these) and an archaic (not sure how 
many of those are operational, but I'd guess the number is small) email 
system.  Would those people have equipment that groks UTF-7?  Probably 
not, but you never know.

As for avoiding XSS issues by setting the header to UTF-8, I wouldn't 
bet on it, because browsers - especially IE - have a very bad habit of 
automatically detecting character sets for you, I believe even if you 
don't ask for it, and even if the server is pretty clear about what the 
content is.  Years of sloppy handling of character sets by servers and 
authors and the Postel principle caused this problem, and the only 
really safe thing to do is have your website safe no matter what 
character set the browser decides to use to parse it.

Daniel
http://papasian.org/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list