Firefox UTF-7 Universal XSS

Update 24 Sep 08: Seems fixed in Firefox 3.0.2, with

Demo, to accompany my message:

See also:

Need to manually select View Encoding to UTF-7:
then the frame inherits the encoding from this page,
even though the frame had correctly specified its own.

To trick user into selecting UTF-7, should say something like:

If you do select UTF-7, then you will see a JS popup with your
google/gmail cookies. Similar attacks would work against
practically any website, both http and https (chose gmail
at random, and apologize to them).

Of course we could have used <iframe style='display:none'>
to do "silently", and actions nastier than an alert().

Paul Szabo 24 Sep 08