[21961] in bugtraq
Re: TXT or HTML? -- IE NEW BUG
daemon@ATHENA.MIT.EDU (Dylan Griffiths)
Sat Jul 28 22:33:42 2001
Message-ID: <3B6277A7.508C1F07@bigfoot.com>
Date: Sat, 28 Jul 2001 02:28:23 -0600
From: Dylan Griffiths <Dylan_G@bigfoot.com>
MIME-Version: 1.0
To: cr4zybird <cr4zybird@hotmail.com>
Cc: Bugtraq <BUGTRAQ@securityfocus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cr4zybird wrote:
> description:
> IE doesn't recognize the extensions of files, which
> may contain some html
> code.
IE's behaviour of ignoring a server's MIME type and doing its own magic(5)
on the file before handling is a "feature" that has existed in it since some
MS programmer decided it was a low risk, high reward feature (which it's
not, he should've read "Writing Solid Code" 1993 MS Press). I think only a
few ancient web servers today still give the incorrect type for files such
as PNG.
I think this behaviour is also tickled by the various Outlook viruses (they
hide their "real" type by using a no-show extension).
Javascript itself in a browser like x86 IE (where Microsoft has put much
code to leverage ActiveX, etc) is dangerous anyways, because of the core OS
control being in bed with something which parses remotely originated,
untrusted data. Not to mention the more general Javascript problem that
clients are trusting remote server code, and servers trusting remote client
code results. But everyone says I'm too paranoid :)
--
www.kuro5hin.org -- technology and culture, from the trenches.
