prior to <meta>. Thus it may be possible to create a page with encoded to UTF-7 JavaScript in title and it will be executed in Internet Explorer 7/8 with Auto-Select encoding on Proof-of-Concept: 1. Create new issue with title "+ADw-script+AD4-alert('XSS');+ADw-/script+AD4-" (without quotes) 2. Open it in Internet Explorer 7/8 3. Set Encoding options to Auto-Select Result: JavaScript with alert will be executed

Redmine <= 0.8.7 UTF-7 XSS Vulnerability Discovered by: p0deje (http://p0deje.blogspot.com) Application: http://www.redmine.org/wiki/redmine/Download SA: - Date: 01.12.2009 Versions affected: <= 0.8.7 Vulnerability: Cross-site Scripting Platform: Ruby (Ruby On Rails) Description: Redmine doesn't properly define page character encoding, placing prior to <meta>. Thus it may be possible to create a page with encoded to UTF-7 JavaScript in title and it will be executed in Internet Explorer 7/8 with Auto-Select encoding on Proof-of-Concept: 1. Create new issue with title "+ADw-script+AD4-alert('XSS');+ADw-/script+AD4-" (without quotes) 2. Open it in Internet Explorer 7/8 3. Set Encoding options to Auto-Select Result: JavaScript with alert will be executed