[23106] in bugtraq
Re: Microsoft IE cookies readable via about: URLS
daemon@ATHENA.MIT.EDU (Clover Andrew)
Mon Nov 12 11:12:15 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Mon, 12 Nov 2001 16:14:43 +0100
Message-ID: <D58B0195B58937489E89124469E57CA249DA09@EX1.1value.com>
From: "Clover Andrew" <aclover@1value.com>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
Nick FitzGerald <nick@virus-l.demon.co.uk> wrote:
> This was hinted at in Andrew Clover's message of 19 October
Yes. I noted that "IE incorrectly applies HTTP-style URL parsing to
'about:' URLs", from which I really should have investigated further to
find that in fact it doesn't recognise the difference between http: and
about: at all in the case of cookie access security. My bad - having
found what I considered enough of a hole to require patching, I didn't
go further and find its full potential.
> That's interesting, given they seemed to think there was no
> problem (despite the flaw being obvious to the rest of the
> world) back when Andrew mentioned it...
Well, my exploit was less serious than this, but it was indicative of
brokenness, and I would have expected the IE team to at least
investigate. Instead, Microsoft seemed more interested in arguing
Mitigating Factors. It would be easiest to simply remove the
about-unknown-page-echoing-"feature", since it is of no legitimate use
whatsoever (or at least enforce HTML-escaping on it). I do not expect
the patch for Jouko's more serious exploit to do so, when it's released,
but there's always hope.
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap\ProtocolDefaults\about = 4
Indeed, I've been using this a while with no problems, recommend it.
--
Andrew Clover
Technical Consultant
1VALUE.com AG
