[21991] in bugtraq
Re: TXT or HTML? -- IE NEW BUG
daemon@ATHENA.MIT.EDU (Tom Laermans)
Sun Jul 29 13:30:29 2001
Message-Id: <5.1.0.14.2.20010729131542.048cbeb8@mail.powersource.cx>
Date: Sun, 29 Jul 2001 13:20:53 +0200
To: "Fred Oliveira" <kript0n@europeonline.com>
From: Tom Laermans <tom.laermans@powersource.cx>
Cc: bugtraq@securityfocus.com
In-Reply-To: <001401c11751$fd4daac0$0100a8c0@bird>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hi,
At 12:42 28/07/2001, you wrote:
>It is my belief that microsoft is aware of this. After all, they know they
>have html parsers on their programs, because thats one of the functions of
>those (go imagine IE not parsing html targets on files it reads stand-alone.
>it wouldn't be a browser at all). Thus, this is no bug at all. Probably the
>code parsing shouldn't be done in files other than .html, .htm, but if it is
>not to be considered as a bug.
Actually, it is a very large bug. Windows uses some sort of content-type in
it's registry for all file extensions (check it out) ... Damn there are no
content-type thingies in 2K .. there WERE in 98 .. I'm sure of it. It
should only interpret for the HTML content type (text/html iirc) ... NOT
for any other. So don't filter on .html, .htm, but only on the content
type. (why else is the Content-Type: header present??)
>I consider these not sollutions to what you point out as a problem, but
They are...
>general tips to avoid security problems. Antiviral software wont prevent
>html parsers from doing their job. Also, changing name of system utilities
>wont do anything at all. About your 4th solution. I don't believe antiviral
>software detects any kind of html or activex as being potentially harmful.
Actually it does. If I surf to a site, defaced with the IIS/sadmind worm,
like www.nntp.be (their webmaster was mailed long time ago that their site
was defaced, but... *sigh* ohwell now I can use this as an example), McAfee
VShield pops up saying "Infected filename: <blablabla\temporary internet
files\blablabla> infected with SunOS/BoxPoison.worm ....... So I does
warn... twice, even.
>And finally, i don't believe any patch will come out to prevent html
>parsing.
Ofcourse not. Then there would be no browsers anymore. But there HAS to
come a patch to prevent html parsing on non-html files.
Tom
-------------------------------------------------
Web: http://www.powersource.cx --- ICQ#: 12120754
Also check this out: http://kickme.to/sidewinder
Need some cheats?? http://www.chaos-cheatbase.com
Keep Fido&BBS Alive! http://skynetbbs.dyns.cx
-------------------------------------------------
