Bugtraq mailing list archives
Re: TXT or HTML? -- IE NEW BUG
From: Tom Laermans <tom.laermans () powersource cx>
Date: Sun, 29 Jul 2001 13:20:53 +0200
Hi, At 12:42 28/07/2001, you wrote:
It is my belief that microsoft is aware of this. After all, they know they have html parsers on their programs, because thats one of the functions of those (go imagine IE not parsing html targets on files it reads stand-alone. it wouldn't be a browser at all). Thus, this is no bug at all. Probably the code parsing shouldn't be done in files other than .html, .htm, but if it is not to be considered as a bug.
Actually, it is a very large bug. Windows uses some sort of content-type in it's registry for all file extensions (check it out) ... Damn there are no content-type thingies in 2K .. there WERE in 98 .. I'm sure of it. It should only interpret for the HTML content type (text/html iirc) ... NOT for any other. So don't filter on .html, .htm, but only on the content type. (why else is the Content-Type: header present??)
I consider these not sollutions to what you point out as a problem, but
They are...
general tips to avoid security problems. Antiviral software wont prevent html parsers from doing their job. Also, changing name of system utilities wont do anything at all. About your 4th solution. I don't believe antiviral software detects any kind of html or activex as being potentially harmful.
Actually it does. If I surf to a site, defaced with the IIS/sadmind worm, like www.nntp.be (their webmaster was mailed long time ago that their site was defaced, but... *sigh* ohwell now I can use this as an example), McAfee VShield pops up saying "Infected filename: <blablabla\temporary internet files\blablabla> infected with SunOS/BoxPoison.worm ....... So I does warn... twice, even.
And finally, i don't believe any patch will come out to prevent html parsing.
Ofcourse not. Then there would be no browsers anymore. But there HAS to come a patch to prevent html parsing on non-html files.
Tom ------------------------------------------------- Web: http://www.powersource.cx --- ICQ#: 12120754 Also check this out: http://kickme.to/sidewinder Need some cheats?? http://www.chaos-cheatbase.com Keep Fido&BBS Alive! http://skynetbbs.dyns.cx -------------------------------------------------
Current thread:
- Re: TXT or HTML? -- IE NEW BUG, (continued)
- Re: TXT or HTML? -- IE NEW BUG Stephen Cope (Jul 28)
- Re: TXT or HTML -- IE NEW BUG: not that new, but... eric (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Dylan Griffiths (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG bjarne bingo (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Nathan Neulinger (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Magnus Bodin (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Aaron Whiteman (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 30)
- Re: TXT or HTML? -- IE NEW BUG Magnus Bodin (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Fred Oliveira (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Tom Laermans (Jul 29)
- RE: TXT or HTML? -- IE NEW BUG arivanov (Jul 28)
- RE: TXT or HTML? -- IE NEW BUG Daniel Lukasiak (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Trevor O'Donnal (Jul 28)
- RE: TXT or HTML? -- IE NEW BUG Microsoft Security Response Center (Jul 29)
- RE: TXT or HTML? -- IE NEW BUG Rebecca Kastl (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Oliver Bleutgen (Jul 30)
- RE: TXT or HTML? -- IE NEW BUG Deirdre Warshall (Jul 30)
- Re: TXT or HTML? -- IE NEW BUG Aaron Bentley (Jul 30)
- Re: CGI, PATH_INFO, convenience/security (TXT or HTML? -- IE NEW BUG) Peter W (Jul 31)
- Re: CGI, PATH_INFO, convenience/security (TXT or HTML? -- IE NEW BUG) Marc Slemko (Jul 31)
- Re: CGI, PATH_INFO, convenience/security (TXT or HTML? -- IE NEW BUG) Peter W (Jul 31)