Thread-topic: [SA24314] Internet Explorer Charset Inheritance Cross-Site Scripting Vulnerability
> ----------------------------------------------------------------------
>
> TITLE:
> Internet Explorer Charset Inheritance Cross-Site Scripting
> Vulnerability
>
> SECUNIA ADVISORY ID:
> SA24314
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Less critical
>
> IMPACT:
> Cross Site Scripting
>
> WHERE:
> From remote
>
> SOFTWARE:
> Microsoft Internet Explorer 7.x
>
>
> DESCRIPTION:
> Stefan Esser has discovered a vulnerability in Internet Explorer,
> which can be exploited by malicious people to conduct cross-site
> scripting attacks.
>
> The vulnerability exist because pages that don't specify a charset
> inherit the charset of the parent page. This can be exploited to
> execute arbitrary HTML and script code in a user's browser session in
> context of certain sites that are included e.g. via iframes in a
> malicious page that uses UTF-7 as charset.
>
> Successful exploitation requires that the user is tricked into
> visiting a malicious web site.
>
> The vulnerability is confirmed in Internet Explorer 7 on a fully
> patched Windows XP. Other versions may also be affected.
>
> SOLUTION:
> Do not browse untrusted sites.
>
> PROVIDED AND/OR DISCOVERED BY:
> Stefan Esser
>
> ORIGINAL ADVISORY:
>
>
