[9831] in bugtraq
Re: More Internet Explorer zone confusion
daemon@ATHENA.MIT.EDU (Walt Armour)
Mon Mar 8 12:30:54 1999
Date: Mon, 8 Mar 1999 00:18:10 -0800
Reply-To: Walt Armour <walt@BLARG.NET>
From: Walt Armour <walt@BLARG.NET>
X-To: Jim Paris <jim@JTAN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199903060253.VAA03581@io.jtan.com>
I would agree that these are still issues but there is a difference
between them and the original problem.
With the original problem any site could redirect you to a site and make
it look like Local Intranet simply by using the 'http://031713501415/'
format.
With these two new issues someone must have direct knowledge about your
machine's configuration or have direct access to your machine in order to
make a not-quite-too-common configuration change. If either of these
situations occurs then the safety level of my browser will quickly become
the least of my worries. :)
IMO Microsoft is right in saying that the problems are (marginally)
different. Whether or not their method for determining "local intranet"
is right is a completely different subject.
walt
On Fri, 5 Mar 1999, Jim Paris wrote:
> Even after the patch described in Microsoft Security Bulletin MS98-016
> (http://www.microsoft.com/security/bulletins/ms98-016.asp), IE4 still
> has big problems with distinguishing between sites that belong in the
> "Internet Zone" and sites that belong in the "Local Intranet Zone".
>
> MS98-016 dealt with addresses such as http://031713501415/, which
> resolve to Internet hosts but are categorized as being in the "Local
> Intranet Zone".
>
> I've found two cases where the problem still exists. The first is when
> the user has the "Domain Suffix Search Order" in the TCP/IP DNS settings
> set to include domains such as "com". In that case, the address
> http://microsoft/
> will retrieve the page at
> http://microsoft.com/
> but it will be considered to be in the "Local Intranet Zone".
>
> The second case occurs when a host has an assigned alias in the hosts
> table (C:\WINDOWS\HOSTS). A host table entry such as:
> 207.46.131.13 hello
> will cause the URL
> http://hello/
> to retrieve the page at http://207.45.131.13/, but (yep, you guess it)
> Internet Explorer still considers it to be in the "Local Intranet Zone".
>
> This has security implications, since settings for the Local Intranet
> Zone may be (and, by default, ARE) less secure than those for the
> Internet Zone.
>
>
> And the funny part? Microsoft's response when I told them this:
>
> --8<---cut here-----------------------------------------
>
> Hi Jim -
>
> Had a talk with one of the IE developers, and this behavior is correct.
> Here's why: it's impossible to tell from an IP address whether it's internal
> or external. 100.100.100.100, or any other address, could be either
> internal or external, depending on whether you're behind a firewall or not.
> That means that IE has to rely on the URL. By convention, an URL that does
> not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an
> internal site. I'm told that this is how all web browsers make the
> distinction. You have to make specific reconfigurations to allow the
> dotless URLs to resolve externally. Thanks,
>
> Secure@Microsoft.Com
>
> --8<---cut here-----------------------------------------
>
>
> "This behavior is correct"?!?!?! Give me a break. They obviously
> didn't think so when they released the MS98-016 bulletin.
>
>
> Jim Paris
> jim@jtan.com
>
