User Controllable Charset

Apr 15, 2009 at 9:15 AM
Hi list,

using watcher I've found a possible high vulnerability on my web site :


User Controllable Charset

Risk: High

The page at the following URL:

...&encoding=UTF-8&...

1) a(n) 'Content-Type' tag 'UTF-8' attribute

The user input found was:
encoding=UTF-8

The context was:
Content-Type HTTP header


Why is it high? How can I try to exploit the web application with this leak?

Thank you,
AlfonsO

Coordinator
Apr 17, 2009 at 6:00 AM
Edited Apr 17, 2009 at 6:00 AM

Hi AlfonsO, there have been many examples of cross-site scripting attacks that leverage user-control over the HTML's character encoding, or charset value.  This doesn't mean your application has a vulnerability, but it was flagged as high-severity because an attacker has gained a significant control over the content, and how the browser renders it. 

For this to be exploitable, the attacker would need to control some other data in the page's content.  They could set the charset value to UTF-7 and inject a small fragment of UTF-7 encoded script in the page.  You can find some good examples of this pattern on Yosuke Hasegawa's page at http://openmya.hacker.jp/hasegawa/security/utf7cs.html

If they don't have any more control, then you could ignore this warning.