Dear Stefan, > This is actually a bug in MSIE, see CVE-2006-5152.
Not a bug in IE only, I have a demo that exploits it under Firefox. (In fact my demo does not seem to work for IE, yet...) Not really related to CVE-2006-5152. In fact that is a non-issue: the CVE references my posts, but fails to reference my retraction http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049828.html > ... no plan to backport ... it is of low impact. I do not think that XSS and cookie theft (thus access to all data protected by web login) is of low impact. > ... setting AddDefaultCharset also protects from the issue. > AddDefaultCharset is on in the default configurations ... Thanks for that other workaround: yes it seems to protect my machines. Now I am puzzled why AddDefaultCharset was commented out in my configs. Still puzzled why Apache did not mention these workarounds. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
