[22967] in bugtraq
Re: Minor IE vulnerability: about: URLs
daemon@ATHENA.MIT.EDU (Julian Hall)
Tue Oct 23 17:38:25 2001
Message-ID: <3BD5ACAB.DB26BDA@acris.co.uk>
Date: Tue, 23 Oct 2001 18:45:15 +0100
From: Julian Hall <jules@acris.co.uk>
MIME-Version: 1.0
To: nick@virus-l.demon.co.uk
Cc: bugtraq@securityfocus.com, Clover Andrew <aclover@1value.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Nick FitzGerald wrote:
> Users just *may* be able to control handling of "about:" URLs (at
> least insofar as breaking them completely counts as "controlling
> them" 8-) ). There is a registry key:
>
> HKCR\PROTOCOLS\Handler\about
>
> which in the fairly default install of IE 5.5 on this machine holds
> two values -- an empty default value and a CLSID string value set to
> {3050F406-98B5-11CF-BB82-00AA00BDCE0B}. In HKCR\CLSID that CLSID is
> described as "Microsoft HTML About Pluggable Protocol" and (not
> surprisingly) an InProcServer of "%SystemRoot%\System32\mshtml.dll".
>
> I imagine you could munge either the InProcServer value of the CLSID
> to break all references to the about: protocol called through a CLSID
> reference or just munge the CLSID value in the Protocol\about key to
> break calls to the about: protocol via the approved mechanisms for
> protocol handling.
Another approach would be to write your own version of the about: protocol
module, and point the server to your implementation DLL.
Non-vendor-approved patch, anyone? :-)
