Bugtraq mailing list archives

Re: TXT or HTML? -- IE NEW BUG

From: Tom Laermans <tom.laermans () powersource cx>
Date: Sun, 29 Jul 2001 13:20:53 +0200

Hi,

At 12:42 28/07/2001, you wrote:

It is my belief that microsoft is aware of this. After all, they know they
have html parsers on their programs, because thats one of the functions of
those (go imagine IE not parsing html targets on files it reads stand-alone.
it wouldn't be a browser at all). Thus, this is no bug at all. Probably the
code parsing shouldn't be done in files other than .html, .htm, but if it is
not to be considered as a bug.

Actually, it is a very large bug. Windows uses some sort of content-type init's registry for all file extensions (check it out) ... Damn there are nocontent-type thingies in 2K .. there WERE in 98 .. I'm sure of it. Itshould only interpret for the HTML content type (text/html iirc) ... NOTfor any other. So don't filter on .html, .htm, but only on the contenttype. (why else is the Content-Type: header present??)

I consider these not sollutions to what you point out as a problem, but


They are...

general tips to avoid security problems. Antiviral software wont prevent
html parsers from doing their job. Also, changing name of system utilities
wont do anything at all. About your 4th solution. I don't believe antiviral
software detects any kind of html or activex as being potentially harmful.

Actually it does. If I surf to a site, defaced with the IIS/sadmind worm,like www.nntp.be (their webmaster was mailed long time ago that their sitewas defaced, but... *sigh* ohwell now I can use this as an example), McAfeeVShield pops up saying "Infected filename: <blablabla\temporary internetfiles\blablabla> infected with SunOS/BoxPoison.worm ....... So I doeswarn... twice, even.

And finally, i don't believe any patch will come out to prevent html
parsing.

Ofcourse not. Then there would be no browsers anymore. But there HAS tocome a patch to prevent html parsing on non-html files.


Tom

-------------------------------------------------
Web: http://www.powersource.cx --- ICQ#: 12120754
Also check this out:  http://kickme.to/sidewinder
Need some cheats?? http://www.chaos-cheatbase.com
Keep Fido&BBS Alive!     http://skynetbbs.dyns.cx
-------------------------------------------------

Current thread:

Re: TXT or HTML? -- IE NEW BUG, (continued)
- Re: TXT or HTML? -- IE NEW BUG Stephen Cope (Jul 28)
- Re: TXT or HTML -- IE NEW BUG: not that new, but... eric (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Dylan Griffiths (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG bjarne bingo (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Nathan Neulinger (Jul 28)
  - Re: TXT or HTML? -- IE NEW BUG Magnus Bodin (Jul 29)
    - Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 29)
    - Re: TXT or HTML? -- IE NEW BUG Aaron Whiteman (Jul 29)
    - Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 30)
- Re: TXT or HTML? -- IE NEW BUG Fred Oliveira (Jul 28)
  - Re: TXT or HTML? -- IE NEW BUG Tom Laermans (Jul 29)
- RE: TXT or HTML? -- IE NEW BUG arivanov (Jul 28)
  - RE: TXT or HTML? -- IE NEW BUG Daniel Lukasiak (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Trevor O'Donnal (Jul 28)
- RE: TXT or HTML? -- IE NEW BUG Microsoft Security Response Center (Jul 29)
  - RE: TXT or HTML? -- IE NEW BUG Rebecca Kastl (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Oliver Bleutgen (Jul 30)
- RE: TXT or HTML? -- IE NEW BUG Deirdre Warshall (Jul 30)
- Re: TXT or HTML? -- IE NEW BUG Aaron Bentley (Jul 30)
  - Re: CGI, PATH_INFO, convenience/security (TXT or HTML? -- IE NEW BUG) Peter W (Jul 31)
    - Re: CGI, PATH_INFO, convenience/security (TXT or HTML? -- IE NEW BUG) Marc Slemko (Jul 31)