Firefox UTF-7 Universal XSS

Update 24 Sep 08: Seems fixed in Firefox 3.0.2, with
https://bugzilla.mozilla.org/show_bug.cgi?id=441876



Demo, to accompany my message:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/058814.html

See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=408457
https://bugzilla.mozilla.org/show_bug.cgi?id=406777
https://bugzilla.mozilla.org/show_bug.cgi?id=356280
http://www.mozilla.org/security/announce/2007/mfsa2007-02.html
http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/058752.html

Need to manually select View Encoding to UTF-7:
then the frame inherits the encoding from this page,
even though the frame had correctly specified its own.

To trick user into selecting UTF-7, should say something like:


If you do select UTF-7, then you will see a JS popup with your
google/gmail cookies. Similar attacks would work against
practically any website, both http and https (chose gmail
at random, and apologize to them).

Of course we could have used <iframe style='display:none'>
to do "silently", and actions nastier than an alert().


Paul Szabo psz@maths.usyd.edu.au 24 Sep 08