Bugtraq mailing list archives
Re: More Internet Explorer zone confusion
From: walt () BLARG NET (Walt Armour)
Date: Mon, 8 Mar 1999 00:18:10 -0800
I would agree that these are still issues but there is a difference between them and the original problem. With the original problem any site could redirect you to a site and make it look like Local Intranet simply by using the 'http://031713501415/' format. With these two new issues someone must have direct knowledge about your machine's configuration or have direct access to your machine in order to make a not-quite-too-common configuration change. If either of these situations occurs then the safety level of my browser will quickly become the least of my worries. :) IMO Microsoft is right in saying that the problems are (marginally) different. Whether or not their method for determining "local intranet" is right is a completely different subject. walt On Fri, 5 Mar 1999, Jim Paris wrote:
Even after the patch described in Microsoft Security Bulletin MS98-016 (http://www.microsoft.com/security/bulletins/ms98-016.asp), IE4 still has big problems with distinguishing between sites that belong in the "Internet Zone" and sites that belong in the "Local Intranet Zone". MS98-016 dealt with addresses such as http://031713501415/, which resolve to Internet hosts but are categorized as being in the "Local Intranet Zone". I've found two cases where the problem still exists. The first is when the user has the "Domain Suffix Search Order" in the TCP/IP DNS settings set to include domains such as "com". In that case, the address http://microsoft/ will retrieve the page at http://microsoft.com/ but it will be considered to be in the "Local Intranet Zone". The second case occurs when a host has an assigned alias in the hosts table (C:\WINDOWS\HOSTS). A host table entry such as: 207.46.131.13 hello will cause the URL http://hello/ to retrieve the page at http://207.45.131.13/, but (yep, you guess it) Internet Explorer still considers it to be in the "Local Intranet Zone". This has security implications, since settings for the Local Intranet Zone may be (and, by default, ARE) less secure than those for the Internet Zone. And the funny part? Microsoft's response when I told them this: --8<---cut here----------------------------------------- Hi Jim - Had a talk with one of the IE developers, and this behavior is correct. Here's why: it's impossible to tell from an IP address whether it's internal or external. 100.100.100.100, or any other address, could be either internal or external, depending on whether you're behind a firewall or not. That means that IE has to rely on the URL. By convention, an URL that does not end with a "dot-something" (.com, .edu, .gov, etc) is assumed to be an internal site. I'm told that this is how all web browsers make the distinction. You have to make specific reconfigurations to allow the dotless URLs to resolve externally. Thanks, Secure () Microsoft Com --8<---cut here----------------------------------------- "This behavior is correct"?!?!?! Give me a break. They obviously didn't think so when they released the MS98-016 bulletin. Jim Paris jim () jtan com
Current thread:
- Security Conference Announcement: the Black Hat Briefings '99, (continued)
- Security Conference Announcement: the Black Hat Briefings '99 Dominique Brezinski (Mar 03)
- Oracle Plaintext Password James Kivisild (Mar 04)
- Linux /usr/bin/gnuplot overflow xnec () INFERNO TUSCULUM EDU (Mar 04)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Hans-Bernhard Broeker (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Peter van Dijk (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Taneli Leppä (Mar 08)
- Call for Papers: CQRE Detlef Hühnlein (Mar 08)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Jon Coyle (Mar 08)