Today I noticed that calling Wikipedia directly with an URL like http://en.wikipedia.org/+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4- results in a 404 error page that contains an HTML redirect. The special thing about this page was that did not send a charset in it's content-type header.

Unfortunately several browsers can be tricked to assume UTF-7 as charset when no charset header is given by the server or from within the HTML. Because the UTF-7 encoding uses only characters usually considered safe for HTML output user input is usually not correctly escaped when it gets printed which results in Cross Site Scripting vulnerabilities.

Luckily the Wikipedia admins were ultra fast in fixing this issue. After I sent my notification email it was fixed in less than 3 hours. This is a responsetime you would like to see everytime your report a security hole.

A similar UTF-7 injection vulnerability in the popular ViewVC CVS/SVN viewer was disclosed by me today in a new Hardened-PHP Project advisory. In this advisory I also disclose the fact that the popular belief among web-application security people that this problem only affects Internet Explorer is wrong. There is a vulnerability in browsers of the Mozilla family that allows this kind of attack...

(Details will be disclosed when a fixed Firefox is released)