Bugtraq mailing list archives
Re: IE Domain Confusion Vulnerability doesn't matter much
From: marcs () ZNEP COM (Marc Slemko)
Date: Fri, 12 May 2000 11:05:11 -0600
On Fri, 12 May 2000, Richard M. Smith wrote:
Hi, This same IE bug can also be exploited from an HTML Email message in Outlook and Outlook Express. The trick is to put the magic URL in an HTML IFRAME tag. Example:
That is why you are supposed to configure outlook to use a restricted security zone for reading mail that doesn't allow any "active scripting languages", etc. It doesn't make using outlook safe, but protects against simplistic things like this. This whole thing was gone through a few months ago with the "cross site scripting" issue. The issues are the same. There are lots of ways to do this if you don't have the zone you use for reading mail locked down; you can just use javascript in the message itself if you want. [...]
This is a pretty bad bug. People's private data at Web sites is at risk here.
...and has been for a long time. The sad thing is that this hole doesn't actually expose much in the way of new risks compared to what was known a month or two ago. I repeat: this hole exposes very little that wasn't already exposed. Do not rate the seriousness of problems based on the media attention they get. Why? Well, for an example, take a look at the sites listed in "implications" at http://peacefire.org/security/iecookies/ Are they vulnerable to cross site scripting? Lets run through them: HotMail: vulnerable (well, through passport) Yahoo Mail: vulnerable Amazon.com: vulnerable mp3.com: nothing obvious, but almost certainly there somewhere nytimes.com: vulnerable (assuming .nytimes.com cookies; <A HREF="http://email.nytimes.com/foo<B">http://email.nytimes.com/foo<B</A>>bold.jsp) hollywood.com: vulnerable playboy.com: vulnerable Nearly all of the sites are vulnerable to the so-called cross site scripting attacks anyway. That is no secret; the cross site scripting problem is well documented technically. People just didn't pay much attention to it because it isn't a bug in a particular single piece of software that you can make a nice little pretty exploit that looks good for the press. It is a far more serious security issue, however. ************************************************************ The message to take away here: In general, cookies are not secure from being stolen and never will be. The critical thing for sites to do is minimize the risk and the impact when cookies are stolen. ************************************************************ Also interesting is the fact that I reported an almost identical (just using %20 instead of %2f) hole to Microsoft nearly two months ago. Unfortunately, actually getting a fix out for it got delayed and delayed... etc. and never did end up getting released. I'm sure that will change now. To summarize: almost every site that has interesting cookies is already vulnerable to cross site scripting, so this particular hole in IE doesn't increase that risk much. It is still damn scary, but that has been known for some time among people who followed the cross site scripting issue. This also means that fixing this hole in IE removes almost none of the risks.
Current thread:
- Re: non-exec stack, (continued)
- Re: non-exec stack Nate Eldredge (May 10)
- »Ø¸´: Re: non-exec stac ZhaoQian (May 10)
- Alert: IIS ism.dll exposes file contents Cerberus Security Team (May 11)
- ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack Warren Barrow (May 11)
- Remote DoS attack in Internet Information Server 4.0 & 5.0 "Malformed Extension Data in URL" Vulnerability Ussr Labs (May 11)
- Microsoft Security Bulletin (MS00-030) Microsoft Product Security (May 11)
- IE Domain Confusion Vulnerability Foo Bar (May 11)
- Overflow in Outlook Express 4.* - too long filenames with graphic format extension Ultor (May 12)
- Eudora Sensitive to Long Filenames Ron Moritz (May 18)
- IE Domain Confusion Vulnerability is an Email problem also Richard M. Smith (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Marc Slemko (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Richard M. Smith (May 15)
- Vulnerability in CGI counter 4.0.7 by George Burgyan Howard M. Kash III (May 15)
- Vulnerability in EMURL-based e-mail providers Pierre Benoit (May 15)
- New Solaris root exploit for /usr/lib/lp/bin/netpr Anonymous (May 12)
- Microsoft Security Bulletin (MS00-034) Microsoft Product Security (May 12)
- Microsoft Office 2000 Advisory dildog (May 12)