hack0r.net

A few days ago I got a link from Martin Johns (this) and started playing around with this.

A scenario for this is: you got a page where everything between < and > is filtered out. It seems to forbid the inclusion of <script> blocks. But here is the clue. If the page does not define a charset, neither in the header, nor by a meta tag, we may load the page within an iframe on a page which charset is set to UTF-7 and this way having not < or >, but +ADw- and +AD4- circumvents the filter.

I got some code working, which exploits this here. You may want to see the page here, that will be loaded into the iframe, before you look at the link, since firefox saves the overwritten charset for that page and will view the content with the charset set to UTF-7 and this way executing the javascript. To reset it just clear your browser chache.

Since I do not have a second domain at the moment and could not find a page, which does not set the charset, I could not test what happens if an alien domain is loaded inside the iframe.

While looking for a page, that does not define a charset, I found something else which seems like a fixed issue. On pages where the charset is not defined in the header, but in a meta tag, there should be no charset defined on pages that are generated by the webserver itself. But too bad, someone else must have found that before, because in 404 error pages, which at least generated by Apache show the string of the wanted page, now magically have a charset defined in the header. If you got another idea how a webserver may be tricked into generating a page without a charset, I would love to know.

Popularity: unranked [?]