Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IE Domain Confusion Vulnerability doesn't matter much

From: marcs () ZNEP COM (Marc Slemko)
Date: Fri, 12 May 2000 11:05:11 -0600

On Fri, 12 May 2000, Richard M. Smith wrote:


Hi,

This same IE bug can also be exploited from an HTML Email
message in Outlook and Outlook Express.  The trick is
to put the magic URL in an HTML IFRAME tag.  Example:


That is why you are supposed to configure outlook to use a restricted
security zone for reading mail that doesn't allow any "active scripting
languages", etc.

It doesn't make using outlook safe, but protects against simplistic things
like this.  This whole thing was gone through a few months ago with the
"cross site scripting" issue.  The issues are the same.  There are lots of
ways to do this if you don't have the zone you use for reading mail locked
down; you can just use javascript in the message itself if you want.

[...]


This is a pretty bad bug.  People's private data at
Web sites is at risk here.


...and has been for a long time.  The sad thing is that this hole doesn't
actually expose much in the way of new risks compared to what was known a
month or two ago.  I repeat: this hole exposes very little that wasn't
already exposed.  Do not rate the seriousness of problems based on the
media attention they get.  Why?  Well, for an example, take a look at the
sites listed in "implications" at http://peacefire.org/security/iecookies/

Are they vulnerable to cross site scripting?  Lets run through them:

HotMail: vulnerable (well, through passport)
Yahoo Mail: vulnerable
Amazon.com: vulnerable
mp3.com: nothing obvious, but almost certainly there somewhere
nytimes.com: vulnerable (assuming .nytimes.com
cookies; <A HREF="http://email.nytimes.com/foo<B">http://email.nytimes.com/foo<B</A>>bold.jsp)
hollywood.com: vulnerable
playboy.com: vulnerable

Nearly all of the sites are vulnerable to the so-called cross site
scripting attacks anyway.  That is no secret; the cross site
scripting problem is well documented technically.  People just
didn't pay much attention to it because it isn't a bug in a particular
single piece of software that you can make a nice little pretty
exploit that looks good for the press.  It is a far more serious
security issue, however.

************************************************************
The message to take away here: In general, cookies are not secure from
being stolen and never will be.  The critical thing for sites to do is
minimize the risk and the impact when cookies are stolen.
************************************************************

Also interesting is the fact that I reported an almost identical (just
using %20 instead of %2f) hole to Microsoft nearly two months ago.
Unfortunately, actually getting a fix out for it got delayed and
delayed... etc. and never did end up getting released.  I'm sure that will
change now.

To summarize: almost every site that has interesting cookies is already
vulnerable to cross site scripting, so this particular hole in IE doesn't
increase that risk much.  It is still damn scary, but that has been known
for some time among people who followed the cross site scripting issue.
This also means that fixing this hole in IE removes almost none of the
risks.
Previous By Date Next
Previous By Thread Next

Current thread: