[22980] in bugtraq
Re: Minor IE vulnerability: about: URLs
daemon@ATHENA.MIT.EDU (Clover Andrew)
Wed Oct 24 13:32:09 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Wed, 24 Oct 2001 15:15:55 +0200
Message-ID: <D58B0195B58937489E89124469E57CA249D9D8@EX1.1value.com>
From: "Clover Andrew" <aclover@1value.com>
To: <bugtraq@securityfocus.com>
Cc: <list@webdesign-l.com>
Content-Transfer-Encoding: 8bit
Julian Hall <jules@acris.co.uk> wrote:
> Another approach would be to write your own version of the
> about: protocol module, and point the server to your
> implementation DLL.
Aye, that would work. But after wandering aimlessly in the registry I've
stumbled upon a quicker workaround.
Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProtocolDefaults and add a DWORD, name 'about', value
'4'. This puts about: URLs in the Restricted Sites Zone. Hurrah!
--
Andrew Clover
Technical Consultant
1VALUE.com AG
