There’s been an interesting thread on bugtraq over the last few days around UTF-7 and Internet Explorer (if autodetection of character encoding is turned on) when submitting a file that is not there to a webpage hosted on an Apache server. Eiji James Yoshida disclosed this issue - which was partially already known (at least by a few people). The problem is that Internet Explorer builds a custom error page, so it’s not particularly useful by itself. I looked into this when I first put the UTF-7 vector on the XSS cheat Sheet
However, what Paul Szabo discovered is that if you make the URL at least 512 bytes in length it will no longer return IE’s custom 404 error page, but instead show you the actual error page that you requested:
This equates to essentially a universally useful XSS exploit, given those conditions against an Apache server with default 404 error pages. Granted, it does require the automatic character set detection, but still. Pretty scary stuff. Looks like Apache needs to either start encoding the output or otherwise protecting itself from UTF-7 injection, and indeed Internet Explorer shouldn’t have character restrictions on displaying their custom 404 page. Either (or both) of those would fix the issue.