[20028] in bugtraq
Re: User may be fooled to execute programs browsing with IE5.1
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Wed Apr 4 21:44:23 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Message-ID: <20010404121642.H26342@sobolev.does-not-exist.org>
Date: Wed, 4 Apr 2001 12:16:42 +0200
Reply-To: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
From: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <004001c0bc56$0b390730$ef9451d4@servidor>; from
aguileta@EUNATE.NET on Tue, Apr 03, 2001 at 05:52:10PM +0200
Content-Transfer-Encoding: 8bit
On 2001-04-03 17:52:10 +0200, Jesús López de Aguileta wanted to
write:
> -----8<----8<---
> Content-Type: application/x-shockwave-flash
> name="hello.exe"
> Content-Transfer-Encoding: base64
> Content-ID: <KR>
>
> [Here encoded executable]
>
> ---8<----8<---
> IE again ask for "open this file" instead of "open this program".
> And the different it´s not only in the type of the question. The
> Authenticode window don´t popup if you click the OK button.
Well, basically the behaviour looks correct to me. Why shouldn't a
shockwave flash end in .exe? After all, there's a reason why we
have Content-Type values....
However, there's one thing I don't understand - if Windows
absolutely has to rely on file name extensions to make some of the
security-relevant decisions, why doesn't the browser force the file
name to match the content-type header when storing the file?
Why don't you just automatically rename an attachment like the one
given above to hello.exe.swf upon saving or passing to a viewer,
thereby tagging it with correct type information, and avoiding the
problems? Just ignoring the Content-Type field certainly would't be
the right thing.
(Although it's something Microsoft MIME implementations are infamous
for.)
BTW, what I'm talking about here is basically just the same thing as
the nametemplate field in mailcap entries, as defined in RFC 1524,
from September 1993.
--
Thomas Roessler <roessler@does-not-exist.org>
